From dd4736b37292d282d5358abdadd1e2741b50ca5a Mon Sep 17 00:00:00 2001 From: reubenmiller Date: Tue, 21 Apr 2026 22:51:43 +0200 Subject: [PATCH 1/3] ci: add explicit permissions to workflow jobs Add explicit permissions blocks to lint, approve, and passed jobs to restrict the scope of the GITHUB_TOKEN following the principle of least privilege. Fixes code scanning alerts #2, #3, #4 (actions/missing-workflow-permissions) --- .github/workflows/test.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 208cd25..ae266b1 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -14,6 +14,8 @@ on: jobs: lint: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v6 - uses: actions/setup-python@v6 @@ -40,6 +42,7 @@ jobs: # So the environment should be set to have a reviewer/s inspect it before approving it name: ${{ github.event_name == 'pull_request_target' && 'Test Pull Request' || 'Test Auto' }} runs-on: ubuntu-latest + permissions: {} steps: - name: Wait for approval run: echo "Approved" @@ -109,6 +112,7 @@ jobs: runs-on: ubuntu-latest needs: test if: always() + permissions: {} steps: - name: Fail on workflow error run: exit 1 From 7583c62b78942c7e78221b1aa72e3dff4e504397 Mon Sep 17 00:00:00 2001 From: reubenmiller Date: Tue, 21 Apr 2026 22:51:57 +0200 Subject: [PATCH 2/3] build: bump cryptography to >= 46.0.6 to fix CVEs Update cryptography minimum version from 44.0.2 to 46.0.6 to address two security vulnerabilities: - CVE-2026-26007 (high): Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves (fixed in 46.0.5) - CVE-2026-34073 (low): Incomplete DNS name constraint enforcement on peer names (fixed in 46.0.6) Fixes Dependabot alerts #2 and #3 --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 56ec844..5816c4e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -26,7 +26,7 @@ dependencies = [ "dotmap >= 1.3.30, < 1.4.0", "boto3 >= 1.35.7, < 1.36.0", "botocore >= 1.35.7, < 1.36.0", - "cryptography >= 44.0.2, < 45.0.0", + "cryptography >= 46.0.6, < 47.0.0", "randomname >= 0.1.5, < 0.2.0", "tenacity >= 8.1.0, < 8.2.0", "AWSIoTPythonSDK >= 1.5.4, < 2.0.0", From 9e48ce8c93b9d9381b4cf1e0afdfecb6350f1cf2 Mon Sep 17 00:00:00 2001 From: reubenmiller Date: Tue, 21 Apr 2026 23:17:46 +0200 Subject: [PATCH 3/3] fix: remove unnecessary blank line in mqtt_logger.py --- AWS/mqtt_logger.py | 1 - 1 file changed, 1 deletion(-) diff --git a/AWS/mqtt_logger.py b/AWS/mqtt_logger.py index 3b624f0..5c0dea9 100644 --- a/AWS/mqtt_logger.py +++ b/AWS/mqtt_logger.py @@ -13,7 +13,6 @@ from .date import to_date, RelativeTime - # Configure logging logger = logging.getLogger("AWSIoTPythonSDK.core") logger.setLevel(logging.DEBUG)