CtrlK

🔍Dependency Scanning

This document outlines the security scanning process for ProxmoxMCP dependencies.

Current Security Status

✅ All dependencies updated as of commit b9fb0da:

setuptools 80.9.0 (≥78.1.1 required for CVE-2025-47273)
requests 2.32.4 (≥2.32.4 required for CVE-2024-47081)
h11 0.16.0 (≥0.16.0 required for CVE-2025-43859)

Manual Scanning Commands

Using uv with pip-audit

# Install pip-audit if not available
uv add --dev pip-audit

# Scan current dependencies
uv run pip-audit

# Scan with detailed output
uv run pip-audit --format=json --output=security-report.json

Using safety (alternative)

# Install safety scanner
uv add --dev safety

# Export dependencies and scan
uv export --format=requirements-txt | uv run safety check --stdin

Monitoring and Prevention

Regular Security Reviews

Run dependency scans before each release
Monitor security advisories for core dependencies
Update vulnerable dependencies immediately for critical issues

Automated Prevention (Future Enhancement)

Consider implementing:

GitHub Dependabot for automated dependency updates
Pre-commit hooks for security scanning
CI/CD integration with security scanning tools

Response Process for Vulnerabilities

Assess Impact: Determine if vulnerability affects ProxmoxMCP functionality
Update Dependencies: Use uv add "package>=secure_version"
Test Functionality: Run full test suite and quality checks
Commit Changes: Follow security commit message format
Document Resolution: Update this file with resolution details

Contact and Escalation

For critical security vulnerabilities, follow responsible disclosure practices and escalate to project maintainers immediately.

PreviousSecurity Fix Verification NextRepository Review

Last updated 1 month ago

Was this helpful?