fix: remaining dependabot security issues (#890)

* Upgrade docs deps * Upgrade frontend to latest deps * Update package overrides * Remove redundant deps * Add tailwind postcss plugin * Replace language select with chakra * Fix main nav * Patch gray matter * Fix webpack override * Replace python-jose with pyjwt * Override kv url for frontend in compose * Upgrade hatchet sdk * Update docs * Supress pydantic warnings
2026-04-22 13:15:18 +00:00 · 2026-03-02 17:17:40 +01:00
parent 4d915e2a9f
commit 0931095f49
34 changed files with 20117 additions and 26696 deletions
--- a/server/reflector/_warnings_filter.py
+++ b/server/reflector/_warnings_filter.py
@@ -0,0 +1,13 @@
+"""
+Suppress known dependency warnings. Import this before any reflector/hatchet_sdk
+imports that pull in pydantic (e.g. llama_index) to hide UnsupportedFieldAttributeWarning
+about validate_default.
+"""
+
+import warnings
+
+warnings.filterwarnings(
+    "ignore",
+    message=".*validate_default.*",
+    category=UserWarning,
+)
--- a/server/reflector/auth/auth_jwt.py
+++ b/server/reflector/auth/auth_jwt.py
@@ -4,8 +4,8 @@ from fastapi import Depends, HTTPException

 if TYPE_CHECKING:
    from fastapi import WebSocket
+import jwt
 from fastapi.security import APIKeyHeader, OAuth2PasswordBearer
-from jose import JWTError, jwt
 from pydantic import BaseModel

 from reflector.db.user_api_keys import user_api_keys_controller
@@ -54,7 +54,7 @@ class JWTAuth:
                audience=jwt_audience,
            )
            return payload
-        except JWTError as e:
+        except jwt.PyJWTError as e:
            logger.error(f"JWT error: {e}")
            raise

@@ -94,7 +94,7 @@ async def _authenticate_user(
                )

            user_infos.append(UserInfo(sub=user.id, email=email))
-        except JWTError as e:
+        except jwt.PyJWTError as e:
            logger.error(f"JWT error: {e}")
            raise HTTPException(status_code=401, detail="Invalid authentication")

--- a/server/reflector/auth/auth_password.py
+++ b/server/reflector/auth/auth_password.py
@@ -9,9 +9,9 @@ from collections import defaultdict
 from datetime import datetime, timedelta, timezone
 from typing import TYPE_CHECKING, Annotated, Optional

+import jwt
 from fastapi import APIRouter, Depends, HTTPException, Request
 from fastapi.security import APIKeyHeader, OAuth2PasswordBearer
-from jose import JWTError, jwt
 from pydantic import BaseModel

 from reflector.auth.password_utils import verify_password
@@ -110,7 +110,7 @@ async def _authenticate_user(
            user_id = payload["sub"]
            email = payload.get("email")
            user_infos.append(UserInfo(sub=user_id, email=email))
-        except JWTError as e:
+        except jwt.PyJWTError as e:
            logger.error(f"JWT error: {e}")
            raise HTTPException(status_code=401, detail="Invalid authentication")

--- a/server/reflector/hatchet/run_workers_cpu.py
+++ b/server/reflector/hatchet/run_workers_cpu.py
@@ -7,6 +7,7 @@ Configuration:
 - Worker affinity: pool=cpu-heavy
 """

+import reflector._warnings_filter  # noqa: F401 -- side effect: suppress pydantic validate_default warning
 from reflector.hatchet.client import HatchetClientManager
 from reflector.hatchet.workflows.daily_multitrack_pipeline import (
    daily_multitrack_pipeline,
--- a/server/reflector/hatchet/run_workers_llm.py
+++ b/server/reflector/hatchet/run_workers_llm.py
@@ -5,6 +5,7 @@ Handles: all tasks except mixdown_tracks (transcription, LLM inference, orchestr

 import asyncio

+import reflector._warnings_filter  # noqa: F401 -- side effect: suppress pydantic validate_default warning
 from reflector.hatchet.client import HatchetClientManager
 from reflector.hatchet.workflows.daily_multitrack_pipeline import (
    daily_multitrack_pipeline,
--- a/server/reflector/tools/process_transcript.py
+++ b/server/reflector/tools/process_transcript.py
@@ -17,6 +17,7 @@ from typing import Callable
 from celery.result import AsyncResult
 from hatchet_sdk.clients.rest.models import V1TaskStatus

+import reflector._warnings_filter  # noqa: F401 -- side effect: suppress pydantic validate_default warning
 from reflector.db import get_database
 from reflector.db.transcripts import Transcript, transcripts_controller
 from reflector.hatchet.client import HatchetClientManager
--- a/server/reflector/views/transcripts.py
+++ b/server/reflector/views/transcripts.py
@@ -1,10 +1,10 @@
 from datetime import datetime, timedelta, timezone
 from typing import Annotated, Literal, Optional, assert_never

+import jwt
 from fastapi import APIRouter, Depends, HTTPException, Query
 from fastapi_pagination import Page
 from fastapi_pagination.ext.databases import apaginate
-from jose import jwt
 from pydantic import (
    AwareDatetime,
    BaseModel,
--- a/server/reflector/views/transcripts_audio.py
+++ b/server/reflector/views/transcripts_audio.py
@@ -7,8 +7,8 @@ Transcripts audio related endpoints
 from typing import Annotated, Optional

 import httpx
+import jwt
 from fastapi import APIRouter, Depends, HTTPException, Request, Response, status
-from jose import jwt

 import reflector.auth as auth
 from reflector.db.transcripts import AudioWaveform, transcripts_controller
@@ -44,7 +44,7 @@ async def transcript_get_audio_mp3(
        try:
            payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[ALGORITHM])
            user_id: str = payload.get("sub")
-        except jwt.JWTError:
+        except jwt.PyJWTError:
            raise unauthorized_exception

    transcript = await transcripts_controller.get_by_id_for_http(