ENG-2691 Remove unused ecdsa dependency (CVE-2024-23342)

[erosselli]

Ticket ENG-2691 (follow-up)

Description Of Changes

Removes the ecdsa~=0.19.1 direct pin from pyproject.toml. This was a leftover from python-jose[cryptography] which was replaced by joserfc in ENG-2691 (#7573). ecdsa is not imported anywhere in fides or fidesplus, and no other package depends on it. Removing it eliminates CVE-2024-23342 (Minerva timing attack, no fix available).

Code Changes

• Removed ecdsa~=0.19.1 from pyproject.toml dependencies
• Regenerated uv.lock (296 packages, down from 297)

Steps to Confirm

1. uv lock resolves without errors
2. CI passes — ecdsa is not imported anywhere

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • No UX review needed
• Followup issues:
  • No followup issues
• Database migrations:
  • No migrations
• Documentation:
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Mar 23, 2026 6:20pm
fides-privacy-center	Ignored		Mar 23, 2026 6:20pm

[claude]

Code Review

This is a clean, minimal security fix. No issues found.

Verified:

• ecdsa is not imported anywhere in the Python codebase (grep confirms zero matches across all *.py files)
• uv.lock is correctly regenerated, dropping the ecdsa==0.19.1 package and its six transitive dependency reference, reducing the resolved package count from 297 to 296
• The changelog entry correctly categorizes this as a Security type with the CVE reference
• No other package in the lock file lists ecdsa as a dependency, confirming it was solely a direct (unused) pin

The removal eliminates CVE-2024-23342 (Minerva timing-attack vulnerability) with zero functional risk. LGTM.

[greptile-apps]

Greptile Summary

This PR removes the unused ecdsa~=0.19.1 direct dependency from pyproject.toml and regenerates the lockfile, eliminating CVE-2024-23342 (Minerva timing attack). The package was a leftover pin from the prior python-jose[cryptography] → joserfc migration and is not imported anywhere in the codebase.

• Removed ecdsa~=0.19.1 from pyproject.toml dependencies
• Regenerated uv.lock (297 → 296 packages), removing all references to ecdsa and its six transitive dep declaration
• Added changelog/7731-remove-ecdsa.yaml with a Security type entry

The change is minimal, targeted, and correct. A codebase-wide search confirms ecdsa is not imported anywhere outside of the files modified by this PR.

Confidence Score: 5/5

• This PR is safe to merge — it is a clean, targeted removal of a verified-unused dependency that carries a known CVE with no available fix.
• The change is minimal (one line removed from pyproject.toml, lockfile regenerated, changelog added). A codebase grep confirms ecdsa is not imported anywhere. No functional code is modified, and there is no transitive dependent left behind. All three files are correct and complete.
• No files require special attention.

Important Files Changed

Filename	Overview
pyproject.toml	Removes the ecdsa~=0.19.1 direct pin from the dependency list, eliminating the CVE-2024-23342 vulnerability. Change is correct and complete.
uv.lock	Lockfile regenerated after removing ecdsa; the package entry and all dependency references are cleanly removed (297 → 296 packages). No issues found.
changelog/7731-remove-ecdsa.yaml	New changelog entry correctly categorized as Security with an accurate description of the CVE being addressed.

_{Reviews (1): Last reviewed commit: "Add changelog for PR #7731" | Re-trigger Greptile}

[JadeCara]

🚢