3bc953a666
* fix(security): bump dependencies to fix 7 CVEs Python (pyproject.toml): - requests >=2.33.0: CVE-2026-25645 - PyJWT >=2.12.0: CVE-2026-32597 Transitive Python CVEs (require lock file or upstream fix): - cbor2 5.8.0: CVE-2026-26209 (via modal) - pygments 2.19.2: CVE-2026-4539 (via rich) - pynacl 1.5.0: CVE-2025-69277 (via discord.py) NPM (package-lock.json via npm audit fix): - basic-ftp: CRITICAL path traversal (GHSA-5rq4-664w-9x2c) - fast-xml-parser: HIGH stack overflow + entity expansion - undici: HIGH CRLF injection, memory DoS, smuggling - minimatch: HIGH ReDoS Remaining: lodash moderate prototype pollution in @appium/logger (upstream fix needed). * chore: regenerate uv.lock for CVE version bumps uv lock after requests >=2.33.0 and PyJWT >=2.12.0 minimum bumps. Without this, uv sync --locked fails because the old lock pinned requests==2.32.5 and pyjwt==2.11.0 (below new minimums). --------- Co-authored-by: 0xbyt4 <35742124+0xbyt4@users.noreply.github.com>
3.4 KiB
3.4 KiB