Skip to content

Python dependency: Bump paramiko from 3.5.1 to 5.0.0#9927

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/paramiko-5.0.0
Open

Python dependency: Bump paramiko from 3.5.1 to 5.0.0#9927
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/pip/paramiko-5.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 11, 2026

Copy link
Copy Markdown
Contributor

Bumps paramiko from 3.5.1 to 5.0.0.

Commits
  • 710cc5c What's a few weeks between friends?
  • ea93c59 Fix up Ed25519Key so it has non-erroring repr() during fatal errors
  • 5b90ef9 ruff/isort
  • f3864b6 Changelog fixes
  • acd4bc1 Replace hardcoded PEM format in PKey.write* with new parameter
  • 6fa1556 Bump group-exchange kex min_bits to 2048
  • eb87ad3 Fix some tests that were incorrectly passing
  • 1ecc933 Remove GSSAPI support :(
  • 9bf5fca Remove SHA1-based (non-GSS) kex methods
  • b8f75c7 Lintin' ain't easy
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

Bumps [paramiko](https://github.com/paramiko/paramiko) from 3.5.1 to 5.0.0.
- [Commits](paramiko/paramiko@3.5.1...5.0.0)

---
updated-dependencies:
- dependency-name: paramiko
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the Dependencies Pull requests that update a dependency file label May 11, 2026
asheshv added a commit that referenced this pull request May 20, 2026
…#9954)

Python:
- requirements.txt: google-auth-oauthlib 1.3.1 -> 1.4.0
  (#9929 / #9931), gated so Python 3.9 stays on 1.3.1 (1.4.0
  requires python_version >= 3.10). Mirrors the existing
  boto3 1.42.*/1.43.* split.
- tools/requirements.txt: requests >=2.33.1 -> >=2.34.2 on
  python_version > '3.9' (#9943 / #9944).
- web/regression/requirements.txt: selenium 4.43.0 -> 4.44.0
  (#9946). The selenium pin already requires Python >=3.10 in
  master, so the bump introduces no new 3.9 gap.

JavaScript (web/package.json, web/yarn.lock):
- postcss 8.5.12 -> 8.5.14 (#9874 / #9889)
- @tanstack/react-query 5.100.5 -> 5.100.9 (#9878)
- ip-address 10.1.0 -> 10.1.1 (#9918)
- packageManager pin yarn@4.14.0 -> yarn@4.15.0 and regenerate
  yarn.lock at lockfile __metadata.version 10. CI runs yarn
  4.15.0 with hardened mode on public PRs and refuses to migrate
  the lockfile from version 9 (yarn 4.14.x) to 10; master passes
  today only because hardened mode is PR-only.

Electron runtime (runtime/package.json, runtime/yarn.lock):
- axios 1.16.0 -> 1.16.1 (#9948)
- eslint 10.3.0 -> 10.4.0 (#9947)

Skipped (genuine breaking changes, deferred to follow-up PRs):
- @mui/material 7 -> 9 (#9843)
- @mui/x-date-pickers 8 -> 9 (#9888)
- cryptography 47.0.* -> 48.0.* (#9926 / #9932)
- paramiko 3.5.1 -> 5.0.0 (#9927 / #9930)
- electron 41.5.0 -> 42.1.0 (#9945)

Verified in an isolated worktree:

  - jest:        140/0/0 suites, 824/0/0 tests
  - eslint:      clean (web + runtime, both silent)
  - pycodestyle: 0 violations project-wide

Each version was cross-checked against the corresponding
dependabot PR diff via `gh pr diff`. Each Python bump was
cross-checked against PyPI's requires_python so Python 3.9
support stays intact.
@asheshv

asheshv commented May 20, 2026

Copy link
Copy Markdown
Contributor

Audited on 2026-05-20 and intentionally deferred for now (re-evaluate ~Q4 2026). Leaving this PR open as a tracking item.

Why deferred — short version

paramiko 5 is not blocked by the GSSAPI removal that initial review flagged. pgAdmin's SSH tunnel only offers password + identity-file auth (web/pgadmin/utils/driver/psycopg3/server_manager.py:590-608); GSSAPI is not exposed as an SSH-tunnel auth method. The gssapi==1.11.* dependency in requirements.txt is for pgAdmin's own web-login Kerberos authentication (web/pgadmin/authenticate/webserver.py), which is an entirely separate code path.

The real concern is legacy SSH bastion compatibility. paramiko 5 removed:

  • SHA1-based KEX methods (diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1)
  • SHA1-RSA signature verification (the ssh-rsa algorithm identifier)
  • DH group-exchange-sha256 minimum modulus raised 1024 → 2048

Users tunneling through SSH daemons older than OpenSSH 7.2 (2016) — or 8.2 (2020) for the modern RSA-SHA2 signatures — would break. Modern Linux distros and cloud bastion services are unaffected, but enterprise users with legacy Cisco/Juniper/older RHEL bastion hosts could see SSH tunnels stop working.

The DSA-key removal in paramiko 4 and the Python 3.8 drop are non-issues — pgAdmin requires Python 3.9+ and DSA was deprecated upstream a decade ago.

When to apply

When applied eventually, the release notes must state the SHA2 requirement explicitly and point legacy-server users at either upgrading the bastion or staying on a prior pgAdmin release.

asheshv added a commit that referenced this pull request Jun 8, 2026
)

Combined fix for 8 packages flagged by GitHub Dependabot (collapsing
6 of them from open dependabot bump PRs and 4 from transitive
vulnerabilities with no existing PR). All eight are transitive — no
direct dep changes — so we override via `resolutions` in web/package.json
and let yarn collapse duplicate-version entries during install.

Resolved (pre → post via resolution):

  Runtime:
    ws                    8.20.0    -> 8.21.0    (patched 8.20.1)

  Dev:
    @xmldom/xmldom        0.7.13    -> 0.8.13    (patched 0.8.13)
    serialize-javascript  6.0.2,
                          7.0.5     -> 7.0.5     (patched 7.0.5)
    ip-address            10.1.0,
                          10.2.0    -> 10.2.0    (patched 10.1.1)
    postcss               8.5.8,
                          8.5.15    -> 8.5.15    (patched 8.5.10)
    qs                    6.15.0    -> 6.15.2    (patched 6.15.2)
    @tootallnate/once     2.0.0     -> 2.0.1     (patched 2.0.1)
    tar (7.x lineage)     7.5.13    -> 7.5.16    (patched 7.5.11)

The tar 6.2.1 lineage (consumed via ^6.1.2/^6.1.11) is unaffected by
these CVEs (alert ranges are 7.x-only), so the resolution is scoped
`tar@npm:^7.5.4` to leave it on 6.2.1.

Supersedes open dependabot PRs #9956 (ws), #9962 (tar), #9966
(@tootallnate/once), and #9974 (qs) — one CI cycle instead of four.

Verification:
- yarn install — clean (only pre-existing peer-dep warnings about
  @mui/system, aspen-core, eve, etc.; no new ones)
- yarn run test:js-once — 824 / 824 pass across 140 test suites
- yarn run bundle:dev — webpack compiled successfully
- All 8 packages confirmed at safe versions via lockfile audit;
  duplicate entries collapsed (yarn.lock net -64 lines)

Out of scope (cannot fix here):
- paramiko (#276 #278): no patched version exists; bump-to-5.0.0
  PRs #9927/#9930 audited 2026-05-20 and deferred to Q4 2026 over
  SSH bastion compat risk
- elliptic (#176): no patched version, dev-only, low severity
- flatted (#224): alert is stale; lockfile already at 3.4.2 (patched);
  will auto-dismiss on next dependabot rescan

* chore(deps): bump Python deps to latest 3.9-compatible

Picks up five Python dependency bumps that are 3.9-safe (still resolve
under Python 3.9 per PyPI requires_python). Four supersede open
dependabot PRs:

- certifi              2026.4.22  -> 2026.5.20
    (no gate; CA bundle refresh; supersedes dependabot #9977 / #9979)

- typer                0.25.*     -> 0.26.*
    (py > 3.9 row only; supersedes dependabot #9995 / #9999)

- testscenarios        0.6.1      -> 0.6.2
    (py > 3.9 row only; supersedes dependabot #9980)

- urllib3              2.6.*      -> 2.7.*  (py > 3.9 row only)
    Picks up two HIGH-severity security fixes in urllib3 2.7.0
    (2026-05-07): GHSA-mf9v-mfxr-j63j (decompression-bomb safeguards
    bypassed under drain_conn / Brotli stream patterns) and
    GHSA-qccp-gfcp-xxvc (ProxyManager.connection_from_url did not
    strip sensitive headers on cross-host redirects). 2.7.0 requires
    Python >=3.10, which the existing 'python_version > 3.9' gate
    already enforces.

- Flask-Security-Too   5.4.*      -> 5.6.* (py <= 3.9 row only)
    Closes a roughly 2-year gap between the 3.9 row (last pin from
    March 2024) and the py > 3.9 row (already on 5.8.*). 5.5/5.6
    only touched flows pgAdmin doesn't use (register V2, MFA / WebAuthn
    templates, username recovery/changing, secret_key rotation) and
    config pgAdmin overrides (default hash bcrypt->argon2 sidestepped
    by SECURITY_PASSWORD_HASH = 'pbkdf2_sha512'). The contract changes
    that mattered (LoginForm.validate -> is_active, UserMixin.is_locked
    hook, single-kwarg find_user) are all already exercised in
    production via the existing FST 5.8.* / Python 3.10+ deployments.
dpage added a commit to dpage/pgadmin4 that referenced this pull request Jun 9, 2026
Resolves open Dependabot security advisories for transitive npm
dependencies that have no direct manifest entry (so Dependabot cannot
auto-open fix PRs for them).

tar (6 x HIGH): an old tar@6.2.1 was pulled in via
ttf2woff2@4.0.5 -> node-gyp@9.4.1 (and node-gyp's
make-fetch-happen@10 -> cacache@16 chain). ttf2woff2 6+ switched to an
ESM/default export that breaks @vusion/webfonts-generator's callable
usage, so rather than bump ttf2woff2 we override its node-gyp to
^11.2.0 via a scoped resolution. That modernises the whole sub-tree
(node-gyp 11, make-fetch-happen 14/15, cacache 19/20) onto tar@7.5.16
while keeping ttf2woff2 at 4.0.5 so webfont generation still works.

flatted (1 x HIGH): bumped 3.4.1 -> 3.4.2 in the Electron runtime
(GHSA-rf6f-7fwh-wjgh).

Verified: yarn install builds ttf2woff2's native addon with node-gyp@11,
the webpack build regenerates the icon webfonts successfully, and
test:js-once passes 829/829.

paramiko (covered by pgadmin-org#9927) and elliptic (no fix available upstream) are
intentionally left untouched.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant