Skip to content

Add dependabot feature#134

Open
vwinland wants to merge 304 commits into
IBM:mainfrom
vwinland:add-dependabot-feature
Open

Add dependabot feature#134
vwinland wants to merge 304 commits into
IBM:mainfrom
vwinland:add-dependabot-feature

Conversation

@vwinland

Copy link
Copy Markdown
Member

Add Comprehensive Security Automation Framework

Summary

This PR implements a complete security automation framework for the ibmdotcom-tutorials repository, providing automated dependency management, security scanning, and efficient PR review workflows optimized for educational content.

Important: What's Included in This PR

For full transparency, this PR contains two components:

1. Security Framework (Core Implementation)

  • 5 automated security workflows
  • Dependabot configuration for 11 dependency locations
  • Auto-approval workflow
  • Security documentation and policies

2. Dependency Updates (~300 commits)

  • 200+ dependency updates merged in my fork while testing the framework
  • Addresses known CVEs and security vulnerabilities
  • Demonstrates the framework working in production
  • Current status: 38 vulnerabilities remain (1 critical, 7 high, 21 moderate, 9 low) that will be addressed by ongoing automation

What This Adds

1. Automated Security Workflows (5 workflows)

Dependabot Auto-Approve (.github/workflows/dependabot-auto-approve.yml)

  • Automatically approves patch and minor dependency updates
  • Reduces review burden by ~80%
  • Flags major updates for manual review
  • Adds version labels to PRs

Dependency Review (.github/workflows/dependency-review.yml)

  • Blocks PRs with moderate+ severity vulnerabilities
  • Automatically reviews license compatibility
  • Runs on every PR to main

CodeQL Security Analysis (.github/workflows/codeql-analysis.yml)

  • Static code analysis for Python and JavaScript
  • Detects SQL injection, XSS, and other vulnerabilities
  • Runs on push, PR, and weekly schedule

Python Security Scan (.github/workflows/python-security.yml)

  • Multi-tool scanning (pip-audit, Safety, Bandit)
  • Tests across Python 3.10-3.13
  • Generates detailed security reports
  • Configured with continue-on-error for educational content

Secret Scanning (.github/workflows/secret-scan.yml)

  • Prevents accidental credential commits
  • Uses detect-secrets with baseline
  • Runs on every push and PR

2. Dependabot Configuration

File: .github/dependabot.yml

Monitors dependencies across:

  • 9 Python locations (requirements.txt and pyproject.toml files)
  • 1 JavaScript location (silly_story_time npm dependencies)
  • 1 GitHub Actions location (workflow dependencies)

Features:

  • Weekly update schedule (Mondays)
  • Automatic PR creation
  • Grouped npm updates
  • Labeled PRs for easy filtering

3. Security Documentation

SECURITY.md

  • Vulnerability reporting process
  • Security best practices for tutorial users
  • Common security issues and solutions
  • Security checklist for contributors

Enhanced Implementation Guide (tutorials/security-implementation-guide-enhanced.md)

  • Complete framework overview
  • Setup instructions
  • Review checklists
  • Troubleshooting guide
  • Success metrics

4. Updated Contributing Guidelines

CONTRIBUTING.md

  • Added comprehensive security section
  • Dependency management best practices
  • Code review guidelines
  • Security checklist for contributors

5. Secret Scanning Baseline

.secrets.baseline

  • Baseline for detect-secrets
  • Prevents false positives
  • Allows intentional examples in tutorials

🔄 How It Works with Two-Reviewer Requirement

The repository requires 2 approving reviews. Here's how the framework handles this:

For Patch/Minor Updates (80% of PRs)

  1. Dependabot creates PR
  2. Auto-approval workflow provides 1st review ✅
  3. You provide 2nd review (quick check) ✅
  4. Merge after tests pass

For Major Updates (20% of PRs)

  1. Dependabot creates PR with warning
  2. No auto-approval (requires manual review)
  3. You provide 1st review ✅
  4. Another team member provides 2nd review ✅
  5. Merge after thorough testing

Security Considerations

What This Protects Against

✅ Vulnerable dependencies (automatic detection and updates)
✅ Hardcoded secrets (prevented from being committed)
✅ Code vulnerabilities (SQL injection, XSS, etc.)
✅ Outdated dependencies (weekly checks)
✅ License compliance issues (automatic review)

What Still Requires Human Review

⚠️ Major updates (breaking changes)
⚠️ Security alerts (prioritization and remediation)
⚠️ Workflow failures (investigation)
⚠️ Policy updates (as needed)

Industry Alignment

This approach follows best practices from:

  • ✅ OpenSSF (Open Source Security Foundation)
  • ✅ OWASP Secure SDLC
  • ✅ NIST Cybersecurity Framework

📚 Documentation Provided

✅ Testing Performed

  • ✅ All workflow YAML files validated
  • ✅ Dependabot configuration validated
  • ✅ Secret scanning baseline tested
  • ✅ Documentation accuracy verified
  • ✅ Setup instructions validated against actual workflows

Files Changed

New Files

  • .github/dependabot.yml - Dependabot configuration
  • .github/workflows/dependabot-auto-approve.yml - Auto-approval workflow
  • .github/workflows/dependency-review.yml - Dependency review workflow
  • .github/workflows/codeql-analysis.yml - CodeQL security analysis
  • .github/workflows/python-security.yml - Python security scanning
  • .github/workflows/secret-scan.yml - Secret scanning workflow
  • SECURITY.md - Security policy
  • .secrets.baseline - Secret scanning baseline

Modified Files

  • CONTRIBUTING.md - Added security guidelines section

dependabot Bot and others added 30 commits May 5, 2026 21:22
Bumps [uv](https://github.com/astral-sh/uv) from 0.5.4 to 0.11.6.
- [Release notes](https://github.com/astral-sh/uv/releases)
- [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md)
- [Commits](astral-sh/uv@0.5.4...0.11.6)

---
updated-dependencies:
- dependency-name: uv
  dependency-version: 0.11.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
…-agent-systems/my_retail_advisor/langchain-text-splitters-1.1.2

Bump langchain-text-splitters from 0.3.2 to 1.1.2 in /tutorials/03-multi-agent-systems/my_retail_advisor
…s/16-ibm-bob/mcp-server-integration-ibm-bob/arxiv-server/modelcontextprotocol/sdk-1.26.0

Bump @modelcontextprotocol/sdk from 1.25.3 to 1.26.0 in /tutorials/16-ibm-bob/mcp-server-integration-ibm-bob/arxiv-server
Bumps [ip-address](https://github.com/beaugunderson/ip-address) and [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit). These dependencies needed to be updated together.

Updates `ip-address` from 10.1.0 to 10.2.0
- [Commits](https://github.com/beaugunderson/ip-address/commits)

Updates `express-rate-limit` from 8.5.0 to 8.5.1
- [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases)
- [Commits](express-rate-limit/express-rate-limit@v8.5.0...v8.5.1)

---
updated-dependencies:
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: indirect
- dependency-name: express-rate-limit
  dependency-version: 8.5.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [mako](https://github.com/sqlalchemy/mako) from 1.3.6 to 1.3.12.
- [Release notes](https://github.com/sqlalchemy/mako/releases)
- [Changelog](https://github.com/sqlalchemy/mako/blob/main/CHANGES)
- [Commits](https://github.com/sqlalchemy/mako/commits)

---
updated-dependencies:
- dependency-name: mako
  dependency-version: 1.3.12
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.20 to 0.0.27.
- [Release notes](https://github.com/Kludex/python-multipart/releases)
- [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md)
- [Commits](Kludex/python-multipart@0.0.20...0.0.27)

---
updated-dependencies:
- dependency-name: python-multipart
  dependency-version: 0.0.27
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
…-agent-systems/my_retail_advisor/python-dotenv-1.2.2

Bump python-dotenv from 1.0.1 to 1.2.2 in /tutorials/03-multi-agent-systems/my_retail_advisor
…-agent-systems/my_retail_advisor/litellm-1.83.7

Bump litellm from 1.52.12 to 1.83.7 in /tutorials/03-multi-agent-systems/my_retail_advisor
…s/13-full-stack-applications/silly_story_time/yaml-1.10.3

Bump yaml from 1.10.2 to 1.10.3 in /tutorials/13-full-stack-applications/silly_story_time
…-agent-systems/acp_tutorial/beeai_agent_server/python-multipart-0.0.27

Bump python-multipart from 0.0.20 to 0.0.27 in /tutorials/03-multi-agent-systems/acp_tutorial/beeai_agent_server
…-agent-systems/my_retail_advisor/uv-0.11.6

Bump uv from 0.5.4 to 0.11.6 in /tutorials/03-multi-agent-systems/my_retail_advisor
…s/16-ibm-bob/mcp-server-integration-ibm-bob/arxiv-server/multi-7bdfbe8666

Bump ip-address and express-rate-limit in /tutorials/16-ibm-bob/mcp-server-integration-ibm-bob/arxiv-server
Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.10.0 to 2.12.0.
- [Release notes](https://github.com/jpadilla/pyjwt/releases)
- [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst)
- [Commits](jpadilla/pyjwt@2.10.0...2.12.0)

---
updated-dependencies:
- dependency-name: pyjwt
  dependency-version: 2.12.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [orjson](https://github.com/ijl/orjson) from 3.10.11 to 3.11.6.
- [Release notes](https://github.com/ijl/orjson/releases)
- [Changelog](https://github.com/ijl/orjson/blob/master/CHANGELOG.md)
- [Commits](ijl/orjson@3.10.11...3.11.6)

---
updated-dependencies:
- dependency-name: orjson
  dependency-version: 3.11.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [pyasn1](https://github.com/pyasn1/pyasn1) from 0.6.1 to 0.6.3.
- [Release notes](https://github.com/pyasn1/pyasn1/releases)
- [Changelog](https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst)
- [Commits](pyasn1/pyasn1@v0.6.1...v0.6.3)

---
updated-dependencies:
- dependency-name: pyasn1
  dependency-version: 0.6.3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [cryptography](https://github.com/pyca/cryptography) from 43.0.3 to 46.0.7.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@43.0.3...46.0.7)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 46.0.7
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [requests](https://github.com/psf/requests) from 2.32.3 to 2.33.0.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.32.3...v2.33.0)

---
updated-dependencies:
- dependency-name: requests
  dependency-version: 2.33.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [pygments](https://github.com/pygments/pygments) from 2.18.0 to 2.20.0.
- [Release notes](https://github.com/pygments/pygments/releases)
- [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES)
- [Commits](pygments/pygments@2.18.0...2.20.0)

---
updated-dependencies:
- dependency-name: pygments
  dependency-version: 2.20.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
…-agent-systems/multiagent-collab-cs-call-center-analysis/mako-1.3.12

Bump mako from 1.3.6 to 1.3.12 in /tutorials/03-multi-agent-systems/multiagent-collab-cs-call-center-analysis
…-agent-systems/my_retail_advisor/pyjwt-2.12.0

Bump pyjwt from 2.10.0 to 2.12.0 in /tutorials/03-multi-agent-systems/my_retail_advisor
…-agent-systems/my_retail_advisor/orjson-3.11.6

Bump orjson from 3.10.11 to 3.11.6 in /tutorials/03-multi-agent-systems/my_retail_advisor
…-agent-systems/my_retail_advisor/pyasn1-0.6.3

Bump pyasn1 from 0.6.1 to 0.6.3 in /tutorials/03-multi-agent-systems/my_retail_advisor
…-agent-systems/my_retail_advisor/cryptography-46.0.7

Bump cryptography from 43.0.3 to 46.0.7 in /tutorials/03-multi-agent-systems/my_retail_advisor
…-agent-systems/my_retail_advisor/requests-2.33.0

Bump requests from 2.32.3 to 2.33.0 in /tutorials/03-multi-agent-systems/my_retail_advisor
Bumps [protobuf](https://github.com/protocolbuffers/protobuf) from 5.28.3 to 5.29.6.
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Commits](https://github.com/protocolbuffers/protobuf/commits)

---
updated-dependencies:
- dependency-name: protobuf
  dependency-version: 5.29.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
…-agent-systems/my_retail_advisor/pygments-2.20.0

Bump pygments from 2.18.0 to 2.20.0 in /tutorials/03-multi-agent-systems/my_retail_advisor
…-agent-systems/my_retail_advisor/protobuf-5.29.6

Bump protobuf from 5.28.3 to 5.29.6 in /tutorials/03-multi-agent-systems/my_retail_advisor
Bumps [python-dotenv](https://github.com/theskumar/python-dotenv) from 1.0.1 to 1.2.2.
- [Release notes](https://github.com/theskumar/python-dotenv/releases)
- [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md)
- [Commits](theskumar/python-dotenv@v1.0.1...v1.2.2)

---
updated-dependencies:
- dependency-name: python-dotenv
  dependency-version: 1.2.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [langchain-openai](https://github.com/langchain-ai/langchain) from 0.2.9 to 1.1.14.
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain-openai==0.2.9...langchain-openai==1.1.14)

---
updated-dependencies:
- dependency-name: langchain-openai
  dependency-version: 1.1.14
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.16.1 to 3.20.3.
- [Release notes](https://github.com/tox-dev/py-filelock/releases)
- [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst)
- [Commits](tox-dev/filelock@3.16.1...3.20.3)

---
updated-dependencies:
- dependency-name: filelock
  dependency-version: 3.20.3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
dependabot Bot and others added 29 commits June 16, 2026 22:44
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.27 to 0.0.31.
- [Release notes](https://github.com/Kludex/python-multipart/releases)
- [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md)
- [Commits](Kludex/python-multipart@0.0.27...0.0.31)

---
updated-dependencies:
- dependency-name: python-multipart
  dependency-version: 0.0.31
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [hono](https://github.com/honojs/hono) from 4.12.23 to 4.12.25.
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.12.23...v4.12.25)

---
updated-dependencies:
- dependency-name: hono
  dependency-version: 4.12.25
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [langchain](https://github.com/langchain-ai/langchain) from 1.2.17 to 1.3.9.
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](langchain-ai/langchain@langchain==1.2.17...langchain==1.3.9)

---
updated-dependencies:
- dependency-name: langchain
  dependency-version: 1.3.9
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [form-data](https://github.com/form-data/form-data) from 4.0.5 to 4.0.6.
- [Release notes](https://github.com/form-data/form-data/releases)
- [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md)
- [Commits](form-data/form-data@v4.0.5...v4.0.6)

---
updated-dependencies:
- dependency-name: form-data
  dependency-version: 4.0.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [pypdf](https://github.com/py-pdf/pypdf) from 6.12.0 to 6.13.3.
- [Release notes](https://github.com/py-pdf/pypdf/releases)
- [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md)
- [Commits](py-pdf/pypdf@6.12.0...6.13.3)

---
updated-dependencies:
- dependency-name: pypdf
  dependency-version: 6.13.3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
…i-agent-systems/my_retail_advisor/pypdf-6.13.3

chore(deps): bump pypdf from 6.12.0 to 6.13.3 in /tutorials/03-multi-agent-systems/my_retail_advisor
…ls/16-ibm-bob/mcp-server-integration-ibm-bob/arxiv-server/form-data-4.0.6

chore(deps): bump form-data from 4.0.5 to 4.0.6 in /tutorials/16-ibm-bob/mcp-server-integration-ibm-bob/arxiv-server
…i-agent-systems/my_retail_advisor/langchain-1.3.9

chore(deps): bump langchain from 1.2.17 to 1.3.9 in /tutorials/03-multi-agent-systems/my_retail_advisor
…ls/16-ibm-bob/mcp-server-integration-ibm-bob/arxiv-server/hono-4.12.25

chore(deps): bump hono from 4.12.23 to 4.12.25 in /tutorials/16-ibm-bob/mcp-server-integration-ibm-bob/arxiv-server
…i-agent-systems/acp_tutorial/crewai_agent_server/python-multipart-0.0.31

chore(deps): bump python-multipart from 0.0.27 to 0.0.31 in /tutorials/03-multi-agent-systems/acp_tutorial/crewai_agent_server
…i-agent-systems/multiagent-collab-cs-call-center-analysis/pyjwt-2.13.0

chore(deps): bump pyjwt from 2.12.0 to 2.13.0 in /tutorials/03-multi-agent-systems/multiagent-collab-cs-call-center-analysis
…i-agent-systems/acp_tutorial/crewai_agent_server/pyjwt-2.13.0

chore(deps): bump pyjwt from 2.12.0 to 2.13.0 in /tutorials/03-multi-agent-systems/acp_tutorial/crewai_agent_server
Bumps [starlette](https://github.com/Kludex/starlette) from 1.0.1 to 1.3.1.
- [Release notes](https://github.com/Kludex/starlette/releases)
- [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md)
- [Commits](Kludex/starlette@1.0.1...1.3.1)

---
updated-dependencies:
- dependency-name: starlette
  dependency-version: 1.3.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
…i-agent-systems/my_retail_advisor/pyjwt-2.13.0

chore(deps): bump pyjwt from 2.12.0 to 2.13.0 in /tutorials/03-multi-agent-systems/my_retail_advisor
…i-agent-systems/my_retail_advisor/starlette-1.3.1

chore(deps): bump starlette from 1.0.1 to 1.3.1 in /tutorials/03-multi-agent-systems/my_retail_advisor
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.7 to 48.0.1.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@46.0.7...48.0.1)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 48.0.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
updated-dependencies:
- dependency-name: aiohttp
  dependency-version: 3.14.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.8.2 to 0.8.18.
- [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases)
- [Commits](langchain-ai/langsmith-sdk@v0.8.2...v0.8.18)

---
updated-dependencies:
- dependency-name: langsmith
  dependency-version: 0.8.18
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.8.1 to 0.8.18.
- [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases)
- [Commits](langchain-ai/langsmith-sdk@v0.8.1...v0.8.18)

---
updated-dependencies:
- dependency-name: langsmith
  dependency-version: 0.8.18
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps the npm-dependencies group in /tutorials/13-full-stack-applications/silly_story_time with 1 update: [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint).


Updates `typescript-eslint` from 8.61.0 to 8.61.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.61.1/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: typescript-eslint
  dependency-version: 8.61.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
…ls/13-full-stack-applications/silly_story_time/npm-dependencies-fa15ee3bad

chore(deps-dev): bump typescript-eslint from 8.61.0 to 8.61.1 in /tutorials/13-full-stack-applications/silly_story_time in the npm-dependencies group
…ns/checkout-7

chore(deps): bump actions/checkout from 6 to 7
…i-agent-systems/my_retail_advisor/langsmith-0.8.18

chore(deps): bump langsmith from 0.8.1 to 0.8.18 in /tutorials/03-multi-agent-systems/my_retail_advisor
…i-agent-systems/multiagent-collab-cs-call-center-analysis/langsmith-0.8.18

chore(deps): bump langsmith from 0.8.2 to 0.8.18 in /tutorials/03-multi-agent-systems/multiagent-collab-cs-call-center-analysis
…i-agent-systems/my_retail_advisor/aiohttp-3.14.1

chore(deps): bump aiohttp from 3.14.0 to 3.14.1 in /tutorials/03-multi-agent-systems/my_retail_advisor
…i-agent-systems/my_retail_advisor/cryptography-48.0.1

chore(deps): bump cryptography from 46.0.7 to 48.0.1 in /tutorials/03-multi-agent-systems/my_retail_advisor
The dependabot-bob-files directory contains personal reference materials
and manager guides that are not part of the core security implementation.
These files will be kept locally for reference but not included in the PR.
@vwinland vwinland requested a review from thinkscientist June 22, 2026 19:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant