fix(security): bump dependencies to fix CVEs + regenerate uv.lock (#3073)

* fix(security): bump dependencies to fix 7 CVEs Python (pyproject.toml): - requests >=2.33.0: CVE-2026-25645 - PyJWT >=2.12.0: CVE-2026-32597 Transitive Python CVEs (require lock file or upstream fix): - cbor2 5.8.0: CVE-2026-26209 (via modal) - pygments 2.19.2: CVE-2026-4539 (via rich) - pynacl 1.5.0: CVE-2025-69277 (via discord.py) NPM (package-lock.json via npm audit fix): - basic-ftp: CRITICAL path traversal (GHSA-5rq4-664w-9x2c) - fast-xml-parser: HIGH stack overflow + entity expansion - undici: HIGH CRLF injection, memory DoS, smuggling - minimatch: HIGH ReDoS Remaining: lodash moderate prototype pollution in @appium/logger (upstream fix needed). * chore: regenerate uv.lock for CVE version bumps uv lock after requests >=2.33.0 and PyJWT >=2.12.0 minimum bumps. Without this, uv sync --locked fails because the old lock pinned requests==2.32.5 and pyjwt==2.11.0 (below new minimums). --------- Co-authored-by: 0xbyt4 <35742124+0xbyt4@users.noreply.github.com>
2026-03-25 16:43:21 -07:00
parent bd6b138e85
commit 3bc953a666
3 changed files with 66 additions and 34 deletions
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -20,7 +20,7 @@ dependencies = [
  "rich>=14.3.3,<15",
  "tenacity>=9.1.4,<10",
  "pyyaml>=6.0.2,<7",
-  "requests>=2.32.3,<3",
+  "requests>=2.33.0,<3",  # CVE-2026-25645
  "jinja2>=3.1.5,<4",
  "pydantic>=2.12.5,<3",
  # Interactive CLI (prompt_toolkit is used directly by cli.py)
@@ -33,7 +33,7 @@ dependencies = [
  "edge-tts>=7.2.7,<8",
  "faster-whisper>=1.0.0,<2",
  # Skills Hub (GitHub App JWT auth — optional, only needed for bot identity)
-  "PyJWT[crypto]>=2.10.1,<3",
+  "PyJWT[crypto]>=2.12.0,<3",  # CVE-2026-32597
 ]

 [project.optional-dependencies]