@@ -155,7 +155,8 @@ dev = [
155155 " psycopg2-binary >= 2.9.10" ,
156156 " asyncpg >= 0.30.0" ,
157157 " pymysql >= 1.1.1" ,
158- " cryptography >= 44.0.0" ,
158+ # >=48.0.1 ships a non-vulnerable OpenSSL (GHSA-537c-gmf6-5ccf).
159+ " cryptography >= 48.0.1" ,
159160 " cloudpickle>=3.0.0" ,
160161 " anthropic>=0.27.0" ,
161162 " sqlmodel>=0.0.15" ,
@@ -169,7 +170,9 @@ dev = [
169170 # It looks like numpy didn't use to have `requires-python`, so we need to specify the version.
170171 " numpy>=2.0; python_version < '3.12'" ,
171172 " pytest-recording>=0.13.2" ,
172- " vcrpy>=6" ,
173+ # >=8.2.1 includes the aiohttp 3.14 compatibility fix and a fix for arbitrary
174+ # code execution via unsafe YAML deserialization of cassettes (GHSA-rpj2-4hq8-938g).
175+ " vcrpy>=8.2.1" ,
173176 " uvicorn>=0.30.6" ,
174177 " logfire-api" ,
175178 " setuptools>=75.3.0" ,
@@ -182,7 +185,8 @@ dev = [
182185 " openai-agents[voice]>=0.14.0" ,
183186 " pydantic-ai-slim>=0.0.39" ,
184187 " pydantic-evals>=1.0.0" ,
185- " langchain>=0.0.27" ,
188+ # >=1.3.9 fixes path traversal / sandbox escape in file-search middleware and loaders (GHSA-gr75-jv2w-4656).
189+ " langchain>=1.3.9" ,
186190 " langchain-openai>=0.3.17" ,
187191 " langgraph >= 0" ,
188192 " opentelemetry-instrumentation-google-genai >= 0.4b0" ,
@@ -205,9 +209,6 @@ format-command = "ruff format --stdin-filename {filename}"
205209
206210[tool .uv .sources ]
207211logfire-api = { workspace = true }
208- # Until a release with the aiohttp 3.14 compatibility fix is published.
209- # https://github.com/kevin1024/vcrpy/issues/995
210- vcrpy = { git = " https://github.com/kevin1024/vcrpy" , rev = " 3ef7682f6cfd708d9514f339ee7973530d46f2fe" }
211212
212213[tool .uv ]
213214default-groups = [" dev" ]
0 commit comments