Skip to content

fix(deps): update h2 (medium)#1143

Open
claude[bot] wants to merge 1 commit intomainfrom
claude/dependabot-sweep-h2
Open

fix(deps): update h2 (medium)#1143
claude[bot] wants to merge 1 commit intomainfrom
claude/dependabot-sweep-h2

Conversation

@claude
Copy link

@claude claude bot commented Mar 1, 2026

Summary

Dependency chain and placement rationale

h2 is a transitive dependency via grpclib, which is a production dependency in [project] dependencies. Per policy, transitive dependencies of production deps are added directly to [project] dependencies with the minimum secure version so downstream users get the fix.

Since h2 4.3.0 requires Python >= 3.9 and this project supports Python >= 3.8.1, the constraint uses a python_version >= '3.9' marker. Python < 3.9 users will remain on h2 4.1.0 as no patched version is available for older Python.

Advisories resolved

Advisory CVE Severity Patched version
GHSA-847f-9342-265h CVE-2025-57804 medium 4.3.0

Lockfiles modified

  • uv.lock

Notes

  • The fix applies only to Python >= 3.9. For Python < 3.9, h2 4.3.0 is not available (it requires Python >= 3.9), so the vulnerable version (4.1.0) remains in the lockfile for that Python range. This is a limitation of the upstream package.

Resolves #1142

@github-actions @claude
fix(deps): update h2 >= 4.3.0 to resolve CVE-2025-57804
1b1b2c2 
Add h2>=4.3.0 (with python_version >= '3.9' marker) to project
dependencies to fix GHSA-847f-9342-265h (HTTP Request Smuggling
due to illegal characters in headers).

h2 is a transitive dependency via grpclib (production dep). Since
h2 4.3.0 requires Python>=3.9, the constraint is applied with a
version marker. Python <3.9 users remain on h2 4.1.0 as the
patched version does not support older Python.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude claude bot requested a review from a team as a code owner March 1, 2026 02:24
@claude claude bot requested review from lia-viam and njooma March 1, 2026 02:24
claude[bot]
claude bot commented Mar 1, 2026
View reviewed changes
Copy link
Author

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review: fix(deps): update h2 >= 4.3.0 to resolve CVE-2025-57804

This is a dependency-only change (no source code modified). Review findings below.

Checklist

  • src/viam/gen/ not modified
  • Only pyproject.toml and uv.lock changed
  • No logic, API surface, or test changes — appropriate for a pure security patch

Correctness

Marker semantics: python_version >= '3.9' uses PEP 508's MAJOR.MINOR comparison. Python 3.8.1 evaluates to python_version == '3.8', correctly excluded. Python 3.9.0+ evaluates as >= '3.9', correctly included. The marker is semantically sound.

Lockfile consistency: The uv.lock correctly splits grpclib's h2 dependency into two version-gated entries, brings in updated hpack 4.1.0 and hyperframe 6.1.0 for Python >= 3.9, and registers h2 4.3.0 as a direct dependency of viam-sdk with the matching marker. No orphaned or conflicting entries.

Python < 3.9 gap: Acknowledged in PR description — h2 4.3.0 requires Python >= 3.9, so Python 3.8 users remain on h2 4.1.0. Python 3.8 is EOL (October 2024), making this an acceptable residual risk.

Minor observation (no action required)

The new marker (python_version >= '3.9') uses spaces around the operator, while the existing dev-dependency markers use no spaces (python_version>='3.9'). Both are valid PEP 508 and ruff does not normalize environment markers, so this is cosmetic only.

Verdict

The change is minimal, technically correct, and appropriately scoped. No fixes needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@njooma njooma Awaiting requested review from njooma njooma is a code owner automatically assigned from viamrobotics/sdk-netcode

@lia-viam lia-viam Awaiting requested review from lia-viam lia-viam is a code owner automatically assigned from viamrobotics/sdk-netcode

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix(deps): update h2 (medium, 1 alerts)

0 participants