chore: bump lxml and nbconvert to address security advisories (#574)

johnnygreco · web-flow · commit 466228861ab4 · 2026-04-27T12:32:49.000-04:00
Bump lxml floor to 6.1.0 (direct dep in data-designer-engine) and add
nbconvert&gt;=7.17.1 to workspace constraint-dependencies (transitive via
jupyter in the notebooks group).
diff --git a/packages/data-designer-engine/pyproject.toml b/packages/data-designer-engine/pyproject.toml
@@ -44,7 +44,7 @@ dependencies = [
     "json-repair>=0.48.0,<1",
     "jsonpath-rust-bindings>=1.0,<2",
     "jsonschema>=4.0.0,<5",
-    "lxml>=6.0.2,<7",
+    "lxml>=6.1.0,<7",
     "marko>=2.1.2,<3",
     "mcp>=1.26.0,<2",
     "networkx>=3.0,<4",
diff --git a/pyproject.toml b/pyproject.toml
@@ -34,10 +34,12 @@ required-version = ">=0.7.10"
 # Minimum versions for transitive dependencies with known security vulnerabilities.
 # aiohttp 3.13.3: CVE-2026-22815, CVE-2026-34513 through CVE-2026-34525 (multiple DoS, CRLF injection, credential theft)
 # cryptography 46.0.6: CVE-2026-39892 (buffer overflow on Python >3.11)
+# nbconvert 7.17.0: security advisory (transitive via jupyter)
 # python-multipart 0.0.22: security advisory (transitive via mcp)
 constraint-dependencies = [
     "aiohttp>=3.13.5",
     "cryptography>=46.0.7",
+    "nbconvert>=7.17.1",
     "python-multipart>=0.0.26",
 ]
 
diff --git a/uv.lock b/uv.lock
