[Backline] Update idna to remove vulnerabilities in requirements.txt

[backline-ai]

🔐 Security Vulnerability Fixes

This pull request was created and verified by Backline to fix security vulnerabilities in your dependencies.

---

📋 Remediation Overview

How Backline verified the fix

• Local build: Passed (pip install --dry-run completed successfully)

Summary

Upgraded idna from 3.4 to 3.15 to resolve CVE-2024-3651 and CVE-2026-45409. Version 3.15 is the minimum version addressing both vulnerabilities. No breaking changes or code modifications required.

📄 A detailed report is available in a comment below.

📦 Package Updates & Vulnerability Fixes

idna

v3.4 → v3.15

• 🟨 GHSA-65pc-fj4g-8rjx - Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix. See more in Endor Labs

^{Legend: 🟥 Critical | 🟧 High | 🟨 Medium | 🟦 Low}

[backline-ai]

Reasoning for the change

This remediation was triggered by two security vulnerabilities in the idna package that posed risks to the application. The direct dependency idna==3.4 contained two in-scope vulnerabilities that required immediate patching through a version upgrade to 3.15, which addresses both issues comprehensively.

Package: idna

Vulnerabilities addressed
GHSA-jjg7-2v4v-x38h/CVE-2024-3651, GHSA-65pc-fj4g-8rjx/CVE-2026-45409

Analyze upgrade options

• Current version: 3.4 (direct dependency)
• Fixed version range: >= 3.15
• Selected target version: 3.15
• Reason for target version:
  • Version 3.15 is the lowest version that fully patches both CVE-2024-3651 (fixed in 3.7) and CVE-2026-45409 (fixed in 3.15). This version was selected to ensure complete vulnerability remediation while minimizing unnecessary upgrades. The upgrade from 3.4 to 3.15 represents a minor version bump with no dependency conflicts detected.
• Dependency path:
  • requirements.txt → idna

Breaking changes

No breaking changes detected. Our analysis did not identify any that affect the existing codebase.

---

What Backline did

Upgrade packages

• Updated dependencies:
  • idna: 3.4 → 3.15
• Updated lockfile to ensure resolved versions match the secure targets.

Apply code fixes

• No code modifications were required. All vulnerabilities were resolved through dependency version updates alone.

Planned vs applied differences

• The remediation proceeded as planned.

---

How Backline verified the fix

Local build

• Result: Passed
• Build command: pip install --dry-run completed successfully, confirming that the upgraded idna package version 3.15 is compatible with the project environment and all dependencies resolve correctly.