deps: pin python-dotenv >=1.2.2 (CVE-2026-28684) (#51)

bk86a · claude · web-flow · commit e562cc541fa3 · 2026-04-23T08:54:41.000+02:00
* deps: pin python-dotenv >=1.2.2 to fix CVE-2026-28684 Transitive dependency (via pydantic-settings/uvicorn[standard]) was being resolved to 1.0.1, which pip-audit now flags. Pinning directly at the floor of the fixed version. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * deps: bump python-dotenv to 1.2.2 in lockfile CI's pip-audit reads requirements.lock; the floor pin in requirements.txt alone doesn't affect the audited lock. Updating the lock entry directly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/requirements.lock b/requirements.lock
@@ -15,7 +15,7 @@ idna==3.11
 limits==5.8.0
 pydantic==2.12.5
 pydantic-settings==2.13.0
-python-dotenv==1.0.1
+python-dotenv==1.2.2
 PyYAML==6.0.1
 slowapi==0.1.9
 starlette==0.52.1
diff --git a/requirements.txt b/requirements.txt
@@ -4,3 +4,4 @@ httpx>=0.27,<1
 pydantic>=2,<3
 pydantic-settings>=2,<3
 slowapi>=0.1,<1
+python-dotenv>=1.2.2,<2
