Skip to content

Commit 091e800

Browse files
luarssclaude
andauthored
fix: patch Python CVEs in backend, frontend, and evaluation (#286)
fix: patch Python CVEs in all pyproject.toml and uv.lock files Fixes the following CVEs by bumping minimum version constraints: - aiohttp: 3.13.4 -> 3.14.0 (CVE-2026-34993, CVE-2026-47265) - pyarrow: 19/20/21.x -> 23.0.1+ (PYSEC-2026-113) - pygments: 2.19.2 -> 2.20.0 (CVE-2026-4539) - PyJWT: 2.12.1 -> 2.13.0 (PYSEC-2026-175/177/178/179) - starlette: 0.46/0.50.x -> 1.2.1 (PYSEC-2026-161, CVE-2025-54121, CVE-2025-62727) - fastapi: 0.115.14 -> 0.136.3 (frontend, to pull in starlette 1.x) aiohttp and pyarrow are added as explicit constraints to force transitive dependency updates. torch 2.9.0 (PYSEC-2026-139) has no upstream fix available yet. https://claude.ai/code/session_01GeF1r9TL34WDNuRp3ny8iR Co-authored-by: Claude <noreply@anthropic.com>
1 parent ac09c57 commit 091e800

6 files changed

Lines changed: 439 additions & 307 deletions

File tree

backend/pyproject.toml

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,9 @@ description = "Add your description here"
55
readme = "README.md"
66
requires-python = ">=3.13"
77
dependencies = [
8+
"aiohttp>=3.14.0",
89
"asyncpg>=0.30.0",
10+
"pyarrow>=23.0.1",
911
"cryptography>=46.0.5",
1012
"faiss-cpu==1.12.0",
1113
"fastapi>=0.117.0",
@@ -30,10 +32,10 @@ dependencies = [
3032
"nltk==3.9.4",
3133
"openai==1.100.2",
3234
"protobuf>=5.29.6",
33-
"PyJWT>=2.12.0",
35+
"PyJWT>=2.13.0",
3436
"psycopg2-binary>=2.9.11",
3537
"pydantic>=2.11.7",
36-
"pygments>=2.15.1",
38+
"pygments>=2.20.0",
3739
"pypdf==6.10.2",
3840
"rank-bm25==0.2.2",
3941
"rich>=13.7.0",
@@ -46,7 +48,7 @@ dependencies = [
4648
"sphinx-external-toc==1.0.1",
4749
"sphinxcontrib-mermaid==1.0.0",
4850
"sqlalchemy>=2.0.43",
49-
"starlette>=0.49.1",
51+
"starlette>=1.0.1",
5052
"unstructured==0.18.18",
5153
]
5254

0 commit comments

Comments
 (0)