v0.16.5: Security fixes

[rogermt]

Summary

• Fix flatted vulnerability (GHSA-25h7-pfq9-p65f)
• Upgrade black to 26.3.1 (Dependabot)
• Upgrade pyasn1 to 0.6.3 (DoS vulnerability fix)
• Prevent JobList stuck in loading state
• Update frontend-state-flow.md documentation

Commits

• 42c76df fix: Update flatted to fix high severity vulnerability
• 461a359 fix: Upgrade black to 26.3.1 to fix Dependabot security alerts
• 37f9b09 fix: Upgrade pyasn1 to 0.6.3 to fix DoS vulnerability

TEST CHANGE JUSTIFICATION

'N/A'

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Addressed a Denial of Service vulnerability in a core runtime dependency.

• Chores

  • Updated development dependency constraints.

[coderabbitai]

Walkthrough

Adds a runtime dependency pyasn1>=0.6.3 and updates pinned black tooling to version 26.3.1; several tests and image validation literals change hex-escape casing, and a few SQL/string formatting and whitespace-only edits were made.

Changes

Cohort / File(s)	Summary
Dependency files server/pyproject.toml, .pre-commit-config.yaml, requirements-lint.txt	Added pyasn1>=0.6.3 to server/pyproject.toml and updated black pin from 24.1.1 to 26.3.1 across project tooling config files.
Image validation & tests server/app/api_routes/routes/image_submit.py, server/tests/api/routes/test_image_submit.py, server/tests/api/test_tool_validation.py, server/tests/image/test_image_submit_mocked.py	Normalized JPEG magic-byte literals from b"\xFF\xD8\xFF" to b"\xff\xd8\xff" in validator and test fixtures (no logic change).
SQL / formatting changes server/app/migrations/versions/010_create_job_tools_table.py, server/app/observability/device_tracking.py, server/tests/observability/test_metrics_schema.py	Reformatted multi-line SQL/triple-quoted strings into more compact forms; SQL content and behaviour unchanged.
Scripts / whitespace scripts/run_local_plugin_tests.py, scripts/scan_api_contracts.py	Minor whitespace and blank-line normalisations in docstring and imports; no functional change.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete. It lists summary items but lacks the required 'TEST CHANGE JUSTIFICATION' section with proper explanation, and omits details about frontend documentation and JobList loading state changes.	Expand the description to justify all test changes (or confirm N/A with full context), and provide detailed explanations for frontend-state-flow.md and JobList fixes mentioned in the summary.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title mentions 'Security fixes' which aligns with the PR's main focus of addressing vulnerabilities (flatted, black, pyasn1), but lacks specificity about the primary changes.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch v0.16.5

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@server/pyproject.toml`:
- Line 43: Update the Black version everywhere so tooling is consistent: replace
any occurrences of "black==24.1.1" and "rev: 24.1.1" with Black 26.3.1 and
ensure the line that currently reads "black>=26.3.1" is normalized to the exact
pinned version "black==26.3.1" (so pre-commit, lint requirements, and pyproject
use the same version); search for those exact strings to locate the entries to
change and commit the synchronized version.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 033b1d43-bd63-494a-aead-910c93b3873a

📥 Commits

Reviewing files that changed from the base of the PR and between f4fd38b and 37f9b09.

⛔ Files ignored due to path filters (2)

• server/uv.lock is excluded by !**/*.lock
• web-ui/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• server/pyproject.toml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify Black version consistency across config files.
rg -n 'black|rev:' server/pyproject.toml .pre-commit-config.yaml -C2

Repository: rogermt/forgesyte

Length of output: 1271

---

🏁 Script executed:

rg -i 'black' --type-list | head -5

Repository: rogermt/forgesyte

Length of output: 450

---

🏁 Script executed:

fd -type f \( -name "requirements*.txt" -o -name "setup.py" -o -name "setup.cfg" -o -name "poetry.lock" \)

Repository: rogermt/forgesyte

Length of output: 231

---

🏁 Script executed:

rg -n 'black' --type py | head -20

Repository: rogermt/forgesyte

Length of output: 1292

---

🏁 Script executed:

fd -name "requirements*.txt" -o -name "setup.py" -o -name "setup.cfg" -o -name "pyproject.toml"

Repository: rogermt/forgesyte

Length of output: 291

---

🏁 Script executed:

rg -n 'black.*=' --type yaml --type toml

Repository: rogermt/forgesyte

Length of output: 106

---

🏁 Script executed:

find . -name "requirements*.txt" -o -name "setup.py" -o -name "setup.cfg"

Repository: rogermt/forgesyte

Length of output: 84

---

🏁 Script executed:

cat -n .pre-commit-config.yaml | head -20

Repository: rogermt/forgesyte

Length of output: 731

---

🏁 Script executed:

cat requirements-lint.txt

Repository: rogermt/forgesyte

Length of output: 197

---

Align Black version across all tooling to prevent formatter drift.

Black versions are currently inconsistent:

• requirements-lint.txt: black==24.1.1
• .pre-commit-config.yaml: rev: 24.1.1
• server/pyproject.toml (line 43): black>=26.3.1

Developers running uv sync locally will use Black 26.3.1 or later, but pre-commit hooks run 24.1.1, causing formatter conflicts and CI churn.

Update all three files to use Black 26.3.1:

Changes required

--- a/requirements-lint.txt
+++ b/requirements-lint.txt
@@ -1 +1 @@
-black==24.1.1
+black==26.3.1

--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1 +1 @@
-    rev: 24.1.1
+    rev: 26.3.1

--- a/server/pyproject.toml
+++ b/server/pyproject.toml
@@ -1 +1 @@
-    "black>=26.3.1",
+    "black==26.3.1",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"black>=26.3.1",
	"black==26.3.1",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/pyproject.toml` at line 43, Update the Black version everywhere so
tooling is consistent: replace any occurrences of "black==24.1.1" and "rev:
24.1.1" with Black 26.3.1 and ensure the line that currently reads
"black>=26.3.1" is normalized to the exact pinned version "black==26.3.1" (so
pre-commit, lint requirements, and pyproject use the same version); search for
those exact strings to locate the entries to change and commit the synchronized
version.