Commit 091e800
fix: patch Python CVEs in backend, frontend, and evaluation (#286)
fix: patch Python CVEs in all pyproject.toml and uv.lock files
Fixes the following CVEs by bumping minimum version constraints:
- aiohttp: 3.13.4 -> 3.14.0 (CVE-2026-34993, CVE-2026-47265)
- pyarrow: 19/20/21.x -> 23.0.1+ (PYSEC-2026-113)
- pygments: 2.19.2 -> 2.20.0 (CVE-2026-4539)
- PyJWT: 2.12.1 -> 2.13.0 (PYSEC-2026-175/177/178/179)
- starlette: 0.46/0.50.x -> 1.2.1 (PYSEC-2026-161, CVE-2025-54121, CVE-2025-62727)
- fastapi: 0.115.14 -> 0.136.3 (frontend, to pull in starlette 1.x)
aiohttp and pyarrow are added as explicit constraints to force
transitive dependency updates. torch 2.9.0 (PYSEC-2026-139) has no
upstream fix available yet.
https://claude.ai/code/session_01GeF1r9TL34WDNuRp3ny8iR
Co-authored-by: Claude <noreply@anthropic.com>1 parent ac09c57 commit 091e800
6 files changed
Lines changed: 439 additions & 307 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
5 | 5 | | |
6 | 6 | | |
7 | 7 | | |
| 8 | + | |
8 | 9 | | |
| 10 | + | |
9 | 11 | | |
10 | 12 | | |
11 | 13 | | |
| |||
30 | 32 | | |
31 | 33 | | |
32 | 34 | | |
33 | | - | |
| 35 | + | |
34 | 36 | | |
35 | 37 | | |
36 | | - | |
| 38 | + | |
37 | 39 | | |
38 | 40 | | |
39 | 41 | | |
| |||
46 | 48 | | |
47 | 49 | | |
48 | 50 | | |
49 | | - | |
| 51 | + | |
50 | 52 | | |
51 | 53 | | |
52 | 54 | | |
| |||
0 commit comments