Skip to content

Commit ef5c776

Browse files
hramezaniclaude
andauthored
chore(deps): fix Dependabot security alerts in Python deps (#2045)
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 37a5ba8 commit ef5c776

2 files changed

Lines changed: 96 additions & 94 deletions

File tree

pyproject.toml

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -155,7 +155,8 @@ dev = [
155155
"psycopg2-binary >= 2.9.10",
156156
"asyncpg >= 0.30.0",
157157
"pymysql >= 1.1.1",
158-
"cryptography >= 44.0.0",
158+
# >=48.0.1 ships a non-vulnerable OpenSSL (GHSA-537c-gmf6-5ccf).
159+
"cryptography >= 48.0.1",
159160
"cloudpickle>=3.0.0",
160161
"anthropic>=0.27.0",
161162
"sqlmodel>=0.0.15",
@@ -169,7 +170,9 @@ dev = [
169170
# It looks like numpy didn't use to have `requires-python`, so we need to specify the version.
170171
"numpy>=2.0; python_version < '3.12'",
171172
"pytest-recording>=0.13.2",
172-
"vcrpy>=6",
173+
# >=8.2.1 includes the aiohttp 3.14 compatibility fix and a fix for arbitrary
174+
# code execution via unsafe YAML deserialization of cassettes (GHSA-rpj2-4hq8-938g).
175+
"vcrpy>=8.2.1",
173176
"uvicorn>=0.30.6",
174177
"logfire-api",
175178
"setuptools>=75.3.0",
@@ -182,7 +185,8 @@ dev = [
182185
"openai-agents[voice]>=0.14.0",
183186
"pydantic-ai-slim>=0.0.39",
184187
"pydantic-evals>=1.0.0",
185-
"langchain>=0.0.27",
188+
# >=1.3.9 fixes path traversal / sandbox escape in file-search middleware and loaders (GHSA-gr75-jv2w-4656).
189+
"langchain>=1.3.9",
186190
"langchain-openai>=0.3.17",
187191
"langgraph >= 0",
188192
"opentelemetry-instrumentation-google-genai >= 0.4b0",
@@ -205,9 +209,6 @@ format-command = "ruff format --stdin-filename {filename}"
205209

206210
[tool.uv.sources]
207211
logfire-api = { workspace = true }
208-
# Until a release with the aiohttp 3.14 compatibility fix is published.
209-
# https://github.com/kevin1024/vcrpy/issues/995
210-
vcrpy = { git = "https://github.com/kevin1024/vcrpy", rev = "3ef7682f6cfd708d9514f339ee7973530d46f2fe" }
211212

212213
[tool.uv]
213214
default-groups = ["dev"]

0 commit comments

Comments
 (0)