Skip to content

Bump citusdata/mitmproxy fork to close pyOpenSSL CVE alerts#8596

Open
ihalatci wants to merge 2 commits into
mainfrom
chore/bump-mitmproxy-pyopenssl
Open

Bump citusdata/mitmproxy fork to close pyOpenSSL CVE alerts#8596
ihalatci wants to merge 2 commits into
mainfrom
chore/bump-mitmproxy-pyopenssl

Conversation

@ihalatci
Copy link
Copy Markdown
Contributor

@ihalatci ihalatci commented May 28, 2026

DESCRIPTION: Update mitmproxy fork to lift pyOpenSSL cap; re-lock to 26.2.0 (closes CVE-2026-27459, CVE-2026-27448)

Summary

Bumps the mitmproxy git ref in both Pipfiles from the pinned commit SHA 70bad9a3c098... to track citusdata/mitmproxy@main. After citusdata/mitmproxy#4 (merge of upstream mitmproxy/mitmproxy@main), our fork's main caps pyOpenSSL<=27.0.0 (was <=25.3.0), unblocking the lockfile from resolving past pyOpenSSL 25.3.0.

Re-locking both Pipfiles via pipenv lock resolves pyopenssl to 26.2.0, closing all four currently-open Dependabot security alerts:

Alert CVE Severity Patched version
#126 / #125 CVE-2026-27459 (GHSA-5pwr-322w-8jr4) High >=26.0.0
#124 / #123 CVE-2026-27448 (GHSA-vp96-hxj8-p424) Low >=26.0.0

Pipfile changes

Single line per file, in both:

  • src/test/regress/Pipfile
  • .devcontainer/src/test/regress/Pipfile
-mitmproxy = {git = "https://github.com/citusdata/mitmproxy.git", ref = "70bad9a3c098f605e5f8b25553e5db5334018ff1"}
+mitmproxy = {git = "https://github.com/citusdata/mitmproxy.git", ref = "main"}

The ref="main" form is supported by pipenv for git deps; the resolved commit SHA (df5879516a57ea780e1cc88edaf2051e1d32915f — the merge commit of mitmproxy#4) is pinned in Pipfile.lock, preserving reproducibility.

Lockfile-level changes (re-lock side-effects, no Pipfile pin changes)

Dep Before After Reason
mitmproxy ref 70bad9a3... (==12.2.2) df5879516a... (==13.0.0.dev0) Fork tracking main
pyopenssl ==25.3.0 ==26.2.0 Cap lifted; fixes CVEs
asgiref ==3.11.0 ==3.11.1 Latest within range
certifi ==2026.2.25 ==2026.5.20 Latest within range
click ==8.3.2 ==8.4.1 Latest within range
filelock ==3.28.0 ==3.29.0 Latest within range
packaging ==26.1 ==26.2 Latest within range
psycopg ==3.3.3 ==3.3.4 Latest within range
pytest-asyncio ==1.3.0 ==1.4.0 Latest within range
urwid ==3.0.5 ==4.0.0 Allowed by mitmproxy main's relaxed cap
wcwidth ==0.6.0 ==0.7.0 Latest within range

Per scope direction, no other direct deps were bumped — only the security-driven mitmproxy ref change. Other transitive movements above are natural consequences of pipenv lock --clear against unchanged version constraints.

Validation

$ cd src/test/regress
$ pipenv sync
Installing dependencies from Pipfile.lock (416d8f)...
All dependencies are now up-to-date!

$ pipenv run pip show mitmproxy pyopenssl | grep -E "^Name:|^Version:"
Name: mitmproxy
Version: 13.0.0.dev0
Name: pyOpenSSL
Version: 26.2.0

Both src/test/regress/Pipfile.lock and .devcontainer/src/test/regress/Pipfile.lock are byte-identical, per the convention established in #8488 and #8547.

Notes

Closes #123
Closes #124
Closes #125
Closes #126

@ihalatci
Bump citusdata/mitmproxy fork to close pyOpenSSL CVE alerts
06916f6 
Updates the mitmproxy git ref in both Pipfiles from the pinned
commit SHA (70bad9a3c098...) to track our fork's main branch.
After citusdata/mitmproxy#4 (merge of upstream main), the fork now
caps pyOpenSSL at <=27.0.0 (was <=25.3.0), unblocking lockfile
resolution past pyOpenSSL 25.3.0.

Re-locking both Pipfiles resolves pyopenssl to 26.2.0, closing
all four open Dependabot security alerts:

  #126 / #125  CVE-2026-27459 (HIGH)  patched >=26.0.0
  #124 / #123  CVE-2026-27448 (low)   patched >=26.0.0

Other deps that naturally moved up within existing constraint
ranges during re-lock (no Pipfile-level pin changes):
  asgiref         3.11.0 -> 3.11.1
  certifi      2026.2.25 -> 2026.5.20
  click            8.3.2 -> 8.4.1
  filelock        3.28.0 -> 3.29.0
  packaging         26.1 -> 26.2
  psycopg          3.3.3 -> 3.3.4
  pytest-asyncio   1.3.0 -> 1.4.0
  urwid            3.0.5 -> 4.0.0
  wcwidth          0.6.0 -> 0.7.0

The .devcontainer/src/test/regress Pipfile.lock is kept byte-
identical to src/test/regress/Pipfile.lock per the convention
established in #8488 and #8547.

DESCRIPTION: Update mitmproxy fork to lift pyOpenSSL cap; re-lock to 26.2.0 (closes CVE-2026-27459, CVE-2026-27448)

Closes #123
Closes #124
Closes #125
Closes #126

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@codecov
Copy link
Copy Markdown

codecov Bot commented May 28, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.75%. Comparing base (dee8ec1) to head (bd7d8ec).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8596      +/-   ##
==========================================
- Coverage   88.76%   88.75%   -0.01%     
==========================================
  Files         288      288              
  Lines       64302    64303       +1     
  Branches     8091     8092       +1     
==========================================
  Hits        57075    57075              
- Misses       4888     4889       +1     
  Partials     2339     2339
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ihalatci ihalatci mentioned this pull request May 28, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

1 participant

@ihalatci