fix: bump vulnerable transitive deps (#762)

johnnygreco · web-flow · commit 597ad0b10b93 · 2026-06-22T11:50:17.000-04:00
Signed-off-by: Johnny Greco &lt;jogreco@nvidia.com&gt;
diff --git a/packages/data-designer-engine/pyproject.toml b/packages/data-designer-engine/pyproject.toml
@@ -56,6 +56,7 @@ dependencies = [
     "ruff>=0.14.10,<1",
     "scipy>=1.11.0,<2",
     "sqlfluff>=4.1.0,<5",
+    "starlette>=1.2.0,<2", # 1.2.0 fixes security advisory pulled in by mcp
     "tiktoken>=0.8.0,<1",
 ]
 
diff --git a/pyproject.toml b/pyproject.toml
@@ -56,6 +56,7 @@ notebooks = [
     "mistune>=3.2.1,<4", # 3.2.1 fixes security advisory pulled in by nbconvert
     "nbconvert>=7.17.1,<8", # 7.17.1 fixes security advisory pulled in by jupyter
     "notebook>=7.6.0a5,<8", # 7.6.0a5 fixes security advisory pulled in by jupyter
+    "tornado>=6.5.7,<7", # 6.5.7 fixes security advisory pulled in by jupyterlab
 ]
 recipes = [
     "bm25s>=0.2.0,<1",
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,7 @@ dependencies = [`
`56`	`56`	`"ruff>=0.14.10,<1",`
`57`	`57`	`"scipy>=1.11.0,<2",`
`58`	`58`	`"sqlfluff>=4.1.0,<5",`
	`59`	`+ "starlette>=1.2.0,<2", # 1.2.0 fixes security advisory pulled in by mcp`
`59`	`60`	`"tiktoken>=0.8.0,<1",`
`60`	`61`	`]`
`61`	`62`
Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,7 @@ notebooks = [`
`56`	`56`	`"mistune>=3.2.1,<4", # 3.2.1 fixes security advisory pulled in by nbconvert`
`57`	`57`	`"nbconvert>=7.17.1,<8", # 7.17.1 fixes security advisory pulled in by jupyter`
`58`	`58`	`"notebook>=7.6.0a5,<8", # 7.6.0a5 fixes security advisory pulled in by jupyter`
	`59`	`+ "tornado>=6.5.7,<7", # 6.5.7 fixes security advisory pulled in by jupyterlab`
`59`	`60`	`]`
`60`	`61`	`recipes = [`
`61`	`62`	`"bm25s>=0.2.0,<1",`