fix(DATAGO-135330): upgrade pip to 26.1+ for CVE-2026-6357, CVE-2026-3219 (#1562)

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: Hugo-Pare

Dockerfile

@@ -83,6 +83,7 @@ RUN echo "deb http://deb.debian.org/debian unstable main" > /etc/apt/sources.lis
     mv /root/.local/bin/uv /usr/local/bin/uv && \
     rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/unstable.list /etc/apt/preferences.d/99pin-libtasn1 && \
     python3 -m venv /opt/venv && \
+    /opt/venv/bin/pip install --upgrade "pip==26.1.1" && \
     uv pip install --system "virtualenv<21" hatch
 
 WORKDIR /app

client/webui/frontend/package-lock.json

@@ -93,7 +93,7 @@
         "jszip": "^3.10.1",
         "lucide-react": "^0.511.0",
         "marked": "^15.0.12",
-        "mermaid": "^11.12.2",
+        "mermaid": "^11.15.0",
         "react": "19.0.0",
         "react-dom": "19.0.0",
         "react-hook-form": "^7.65.0",

client/webui/frontend/package.json

@@ -29,7 +29,7 @@ dependencies = [
     "google-genai==1.49.0",
     "httpx==0.28.1",
     "idna==3.15",  # [CVE-2026-45409] Security fix (transitive from httpx, requests)
-    "jwcrypto==1.5.6",
+    "jwcrypto==1.5.7",  # [CVE-2026-39373] Security fix
     "python-jwt==4.1.0",
     "pyjwt>=2.12.0",  # [CVE-2026-32597] Security fix: validates the crit (Critical) Header Parameter in JWS tokens (transitive from a2a-sdk, msal)
     "asteval==1.0.6",