From Wave 5 security audit, finding F-O-07. Severity: medium.
Gap
No `.github/dependabot.yml` and no automated CVE scanning step in any workflow.
Risk
The SDK depends on `httpx>=0.27,<1`, `pydantic>=2.0,<3`, `cryptography>=43,<45`, `websockets>=14,<17`. `cryptography` in particular has had repeated CVEs. Without dependabot or `pip-audit` in CI, a CVE in any of these floors the SDK indefinitely without prompting a release.
Also: `cryptography<45` excludes v45+; the upper bound is conservative but stale.
Fix
- `.github/dependabot.yml` with weekly Python and GitHub-Actions ecosystems:
```yaml
version: 2
updates:
- package-ecosystem: pip
directory: "/"
schedule:
interval: weekly
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: weekly
```
- Add a CVE-scanning step to `ci.yml` — either `uv run pip-audit` or `safety check`. Both are fast and noisy-on-real-issues only.
- Re-evaluate `cryptography<45` — v45 is current; the conservative cap should justify itself or move.
These are routine hygiene additions; no breaking changes.
From Wave 5 security audit, finding F-O-07. Severity: medium.
Gap
No `.github/dependabot.yml` and no automated CVE scanning step in any workflow.
Risk
The SDK depends on `httpx>=0.27,<1`, `pydantic>=2.0,<3`, `cryptography>=43,<45`, `websockets>=14,<17`. `cryptography` in particular has had repeated CVEs. Without dependabot or `pip-audit` in CI, a CVE in any of these floors the SDK indefinitely without prompting a release.
Also: `cryptography<45` excludes v45+; the upper bound is conservative but stale.
Fix
```yaml
version: 2
updates:
directory: "/"
schedule:
interval: weekly
directory: "/"
schedule:
interval: weekly
```
These are routine hygiene additions; no breaking changes.