Skip to content

chore(sdk,mcp): pin direct dependencies to exact versions#10593

Merged
HugoPBrito merged 14 commits intomasterfrom
PROWLER-1271-pin-sdk-pyproject
Apr 9, 2026
Merged

chore(sdk,mcp): pin direct dependencies to exact versions#10593
HugoPBrito merged 14 commits intomasterfrom
PROWLER-1271-pin-sdk-pyproject

Conversation

@HugoPBrito
Copy link
Copy Markdown
Member

@HugoPBrito HugoPBrito commented Apr 7, 2026
edited
Loading

Context

Part of PROWLER-1271. This updates the SDK and MCP Server packaging metadata so all direct dependencies that were still expressed as ranges are pinned to exact versions.

Description

  • Pin the remaining direct SDK dependencies in pyproject.toml (defusedxml, google-auth-httplib2, pydantic, python-dateutil)
  • Pin httpx in mcp_server/pyproject.toml
  • Refresh poetry.lock and uv.lock so lock file hashes match the pinned dependencies
  • Add a SDK changelog entry for the packaging change
  • Document in the developer guide that reproducible SDK installs should come from poetry.lock

Steps to review

  1. Review pyproject.toml and confirm these direct SDK dependencies are now exact pins:
    • defusedxml
    • google-auth-httplib2
    • pydantic
    • python-dateutil
  2. Review mcp_server/pyproject.toml and confirm httpx is now an exact pin
  3. Review poetry.lock and mcp_server/uv.lock diffs
  4. Review the SDK changelog entry and the documentation note in docs/developer-guide/introduction.mdx
  5. Run poetry check and cd mcp_server && uv lock --check

Checklist

Community Checklist
  • This feature/issue is listed in here or roadmap.prowler.com
  • Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

SDK/CLI

  • Are there new checks included in this PR? No

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@HugoPBrito
chore(sdk): pin direct SDK dependencies
b6376f5 
- Pin previously ranged direct SDK dependencies to exact versions
- Refresh poetry.lock and document reproducible installs
- Add SDK changelog entry for dependency hardening
@HugoPBrito
Merge remote-tracking branch 'origin/master' into PROWLER-1271-pin-sd…
cd3c3f5 
…k-pyproject

# Conflicts:
#	poetry.lock
@HugoPBrito
chore(sdk): normalize poetry lock serialization
0c8e9f7
@HugoPBrito HugoPBrito requested review from a team as code owners April 7, 2026 10:29
@mintlify
Copy link
Copy Markdown
Contributor

mintlify bot commented Apr 7, 2026
edited
Loading

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
prowler 🟢 Ready View Preview Apr 7, 2026, 10:31 AM

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 7, 2026
edited
Loading

✅ All necessary CHANGELOG.md files have been updated.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 7, 2026
edited
Loading

Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 7, 2026
edited
Loading

🔒 Container Security Scan

Image: prowler:ae1697b
Last scan: 2026-04-09 12:20:42 UTC

📊 Vulnerability Summary

Severity Count
🔴 Critical 4
Total 4

4 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

  • Review the detailed scan results
  • Update affected packages to patched versions
  • Consider using a different base image if updates are unavailable

📋 Resources:

@HugoPBrito
chore(mcp): pin httpx to exact version
4edc13c 
Pin httpx>=0.28.0 to httpx==0.28.1 in mcp_server/pyproject.toml
and refresh lock files accordingly.
@HugoPBrito HugoPBrito requested a review from a team as a code owner April 7, 2026 11:22
@HugoPBrito HugoPBrito changed the title chore(sdk): pin direct SDK dependencies chore(sdk,mcp): pin direct dependencies to exact versions Apr 7, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 7, 2026
edited
Loading

🔒 Container Security Scan

Image: prowler-mcp:ae1697b
Last scan: 2026-04-09 12:12:35 UTC

📊 Vulnerability Summary

Severity Count
🔴 Critical 1
Total 1

1 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

  • Review the detailed scan results
  • Update affected packages to patched versions
  • Consider using a different base image if updates are unavailable

📋 Resources:

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 7, 2026
edited
Loading

🔒 Container Security Scan

Image: prowler-api:d258bb2
Last scan: 2026-04-09 08:36:12 UTC

📊 Vulnerability Summary

Severity Count
🔴 Critical 5
Total 5

4 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

  • Review the detailed scan results
  • Update affected packages to patched versions
  • Consider using a different base image if updates are unavailable

📋 Resources:

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 7, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.15%. Comparing base (bc38104) to head (c1ea8c7).
⚠️ Report is 25 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #10593      +/-   ##
==========================================
- Coverage   85.71%   84.15%   -1.56%     
==========================================
  Files          15     1675    +1660     
  Lines         504    53665   +53161     
==========================================
+ Hits          432    45162   +44730     
- Misses         72     8503    +8431
Flag Coverage Δ
prowler-py3.10-aws 90.56% <ø> (?)
prowler-py3.10-azure 89.70% <ø> (?)
prowler-py3.10-config 84.14% <ø> (?)
prowler-py3.10-gcp 90.04% <ø> (?)
prowler-py3.10-github 89.29% <ø> (?)
prowler-py3.10-googleworkspace 87.12% <ø> (+1.41%) ⬆️
prowler-py3.10-iac 88.84% <ø> (?)
prowler-py3.10-kubernetes 89.68% <ø> (?)
prowler-py3.10-lib 84.16% <ø> (?)
prowler-py3.10-m365 89.09% <ø> (?)
prowler-py3.10-mongodbatlas 88.74% <ø> (?)
prowler-py3.10-nhn 89.23% <ø> (?)
prowler-py3.10-openstack 87.14% <ø> (?)
prowler-py3.10-oraclecloud 86.88% <ø> (?)
prowler-py3.10-vercel 86.85% <ø> (?)
prowler-py3.11-aws 90.56% <ø> (?)
prowler-py3.11-azure 89.70% <ø> (?)
prowler-py3.11-config 84.15% <ø> (?)
prowler-py3.11-gcp 90.04% <ø> (?)
prowler-py3.11-github 89.29% <ø> (?)
prowler-py3.11-googleworkspace 87.14% <ø> (+1.42%) ⬆️
prowler-py3.11-iac 88.85% <ø> (?)
prowler-py3.11-kubernetes 89.68% <ø> (?)
prowler-py3.11-lib 84.17% <ø> (?)
prowler-py3.11-m365 89.11% <ø> (?)
prowler-py3.11-mongodbatlas 88.76% <ø> (?)
prowler-py3.11-nhn 89.23% <ø> (?)
prowler-py3.11-openstack 87.15% <ø> (?)
prowler-py3.11-oraclecloud 86.89% <ø> (?)
prowler-py3.11-vercel 86.86% <ø> (?)
prowler-py3.12-aws 90.56% <ø> (?)
prowler-py3.12-azure 89.70% <ø> (?)
prowler-py3.12-config 84.14% <ø> (?)
prowler-py3.12-gcp 90.04% <ø> (?)
prowler-py3.12-github 89.29% <ø> (?)
prowler-py3.12-googleworkspace 87.12% <ø> (+1.41%) ⬆️
prowler-py3.12-iac 88.84% <ø> (?)
prowler-py3.12-kubernetes 89.68% <ø> (?)
prowler-py3.12-lib 84.16% <ø> (?)
prowler-py3.12-m365 89.09% <ø> (?)
prowler-py3.12-mongodbatlas 88.74% <ø> (?)
prowler-py3.12-nhn 89.23% <ø> (?)
prowler-py3.12-openstack 87.14% <ø> (?)
prowler-py3.12-oraclecloud 86.88% <ø> (?)
prowler-py3.12-vercel 86.85% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
prowler 84.15% <ø> (-1.56%) ⬇️
api ∅ <ø> (∅)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

puchy22
puchy22 previously approved these changes Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@puchy22 puchy22 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@HugoPBrito
chore: merge master into PR 10593
a158022 
- Resolve merge conflicts in poetry.lock and prowler/CHANGELOG.md\n- Preserve the changelog entries from both branches
@HugoPBrito HugoPBrito dismissed stale reviews from danibarranqueroo and puchy22 via a158022 April 9, 2026 08:00
@HugoPBrito
fix(ci): ignore generated lockfiles in changelog gate
ea3937e 
- Keep api/poetry.lock and mcp_server/uv.lock from forcing changelog updates\n- Preserve the existing changelog requirement for real user-facing changes
@HugoPBrito HugoPBrito requested a review from a team as a code owner April 9, 2026 08:24
@github-actions github-actions bot added the github_actions Pull requests that update GitHub Actions code label Apr 9, 2026
@github-actions github-actions bot removed the github_actions Pull requests that update GitHub Actions code label Apr 9, 2026
@HugoPBrito HugoPBrito added the no-changelog Skip including change in changelog/release notes label Apr 9, 2026
@HugoPBrito HugoPBrito removed the request for review from a team April 9, 2026 08:26
puchy22
puchy22 previously approved these changes Apr 9, 2026
View reviewed changes
@HugoPBrito HugoPBrito dismissed stale reviews from danibarranqueroo and puchy22 via c1ea8c7 April 9, 2026 12:11
@HugoPBrito HugoPBrito removed the request for review from a team April 9, 2026 12:11
@HugoPBrito HugoPBrito removed the no-changelog Skip including change in changelog/release notes label Apr 9, 2026
@HugoPBrito HugoPBrito merged commit cccb3a4 into master Apr 9, 2026
39 of 40 checks passed
@HugoPBrito HugoPBrito deleted the PROWLER-1271-pin-sdk-pyproject branch April 9, 2026 13:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AdriiiPRodri AdriiiPRodri AdriiiPRodri approved these changes

@puchy22 puchy22 puchy22 approved these changes

@danibarranqueroo danibarranqueroo danibarranqueroo left review comments

Assignees

No one assigned

Labels

component/mcp-server documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@HugoPBrito @AdriiiPRodri @danibarranqueroo @puchy22