From c597d43bd60a4dc9534fa1de4180322207a2ce1c Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Mon, 11 May 2026 19:32:52 +0000
Subject: [PATCH 1/2] [pre-commit.ci] pre-commit autoupdate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

updates:
- [github.com/astral-sh/uv-pre-commit: 0.11.7 → 0.11.13](https://github.com/astral-sh/uv-pre-commit/compare/0.11.7...0.11.13)
- [github.com/astral-sh/ruff-pre-commit: v0.15.11 → v0.15.12](https://github.com/astral-sh/ruff-pre-commit/compare/v0.15.11...v0.15.12)
- [github.com/pre-commit/mirrors-mypy: v1.20.1 → v2.0.0](https://github.com/pre-commit/mirrors-mypy/compare/v1.20.1...v2.0.0)
---
 .pre-commit-config.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index d546ae3..36ae696 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -20,12 +20,12 @@ repos:
     - id: check-toml
 
   - repo: https://github.com/astral-sh/uv-pre-commit
-    rev: 0.11.7
+    rev: 0.11.13
     hooks:
       - id: uv-lock
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: 'v0.15.11'
+    rev: 'v0.15.12'
     hooks:
     - id: ruff-check
       args: [--fix, --exit-non-zero-on-fix]
@@ -34,7 +34,7 @@ repos:
       types_or: [python, jupyter]
 
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.20.1
+    rev: v2.0.0
     hooks:
     - id: mypy
       entry: python3 -m mypy --config-file pyproject.toml

From ea5a105a753e394e6d0b1eeedc16c2d7d57dbeaf Mon Sep 17 00:00:00 2001
From: AI Engineering Bot <aieng-bot@vectorinstitute.ai>
Date: Thu, 14 May 2026 14:03:08 -0400
Subject: [PATCH 2/2] chore: fix security vulnerabilities from pip-audit

- Bump pip to >=26.1 to fix CVE-2026-6357
- Add urllib3>=2.7.0 constraint to fix CVE-2026-44431, CVE-2026-44432
- Bump python-multipart to >=0.0.27 to fix CVE-2026-42561
- Add CVE-2026-3219 to pip-audit ignore list (no upstream fix available for pip)

Co-authored-by: aieng-bot <aieng-bot@vectorinstitute.ai>
---
 .github/workflows/code_checks.yml |  1 +
 pyproject.toml                    |  5 +++--
 uv.lock                           | 24 +++++++++++++-----------
 3 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/code_checks.yml b/.github/workflows/code_checks.yml
index abbd59b..08a5055 100644
--- a/.github/workflows/code_checks.yml
+++ b/.github/workflows/code_checks.yml
@@ -69,3 +69,4 @@ jobs:
           virtual-environment: .venv/
           ignore-vulns: |
             GHSA-4xh5-x5gv-qwph
+            CVE-2026-3219
diff --git a/pyproject.toml b/pyproject.toml
index 2663d58..ed58c9d 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -53,7 +53,8 @@ dev = [
     "pyjwt>=2.12.0", # Pinning version to address vulnerability CVE-2026-32597
     "mypy>=1.14.1",
     "nbqa>=1.9.1",
-    "pip>=26.0", # Pinning version to address vulnerability CVE-2026-1703
+    "pip>=26.1", # Pinning version to address vulnerabilities CVE-2026-1703, CVE-2026-6357
+    "urllib3>=2.7.0", # Pinning version to address vulnerabilities CVE-2026-44431, CVE-2026-44432
     "pip-audit>=2.7.3",
     "pre-commit>=4.1.0",
     "pygments>=2.20.0", # Pinning version to address vulnerability CVE-2026-4539
@@ -79,7 +80,7 @@ bookstack-api = [
     "fastapi>=0.115.0",
     "google-cloud-storage>=2.0.0",
     "httptools>=0.6.0",
-    "python-multipart>=0.0.26", # Pinning version to address vulnerability CVE-2026-40347
+    "python-multipart>=0.0.27", # Pinning version to address vulnerabilities CVE-2026-40347, CVE-2026-42561
     "uvicorn[standard]>=0.32.0",
     "uvloop>=0.21.0",
 ]
diff --git a/uv.lock b/uv.lock
index e9a975d..8f1377f 100644
--- a/uv.lock
+++ b/uv.lock
@@ -47,6 +47,7 @@ dev = [
     { name = "pytest-mock" },
     { name = "requests" },
     { name = "ruff" },
+    { name = "urllib3" },
 ]
 docs = [
     { name = "ipykernel" },
@@ -75,7 +76,7 @@ bookstack-api = [
     { name = "fastapi", specifier = ">=0.115.0" },
     { name = "google-cloud-storage", specifier = ">=2.0.0" },
     { name = "httptools", specifier = ">=0.6.0" },
-    { name = "python-multipart", specifier = ">=0.0.26" },
+    { name = "python-multipart", specifier = ">=0.0.27" },
     { name = "uvicorn", extras = ["standard"], specifier = ">=0.32.0" },
     { name = "uvloop", specifier = ">=0.21.0" },
 ]
@@ -84,7 +85,7 @@ dev = [
     { name = "cryptography", specifier = ">=46.0.7" },
     { name = "mypy", specifier = ">=1.14.1" },
     { name = "nbqa", specifier = ">=1.9.1" },
-    { name = "pip", specifier = ">=26.0" },
+    { name = "pip", specifier = ">=26.1" },
     { name = "pip-audit", specifier = ">=2.7.3" },
     { name = "pre-commit", specifier = ">=4.1.0" },
     { name = "pygments", specifier = ">=2.20.0" },
@@ -95,6 +96,7 @@ dev = [
     { name = "pytest-mock", specifier = ">=3.14.0" },
     { name = "requests", specifier = ">=2.33.0" },
     { name = "ruff", specifier = ">=0.13.3" },
+    { name = "urllib3", specifier = ">=2.7.0" },
 ]
 docs = [
     { name = "ipykernel", specifier = ">=6.29.5" },
@@ -1657,11 +1659,11 @@ wheels = [
 
 [[package]]
 name = "pip"
-version = "26.0.1"
+version = "26.1.1"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/48/83/0d7d4e9efe3344b8e2fe25d93be44f64b65364d3c8d7bc6dc90198d5422e/pip-26.0.1.tar.gz", hash = "sha256:c4037d8a277c89b320abe636d59f91e6d0922d08a05b60e85e53b296613346d8", size = 1812747 }
+sdist = { url = "https://files.pythonhosted.org/packages/b6/48/cb9b7a682f6fe01a4221e1728941dd4ac3cd9090a17db3779d6ff490b602/pip-26.1.1.tar.gz", hash = "sha256:d36762751d156a4ee895de8af39aa0abeeeb577f93a2eca6ab62467bbf0f8a78", size = 1840400 }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/de/f0/c81e05b613866b76d2d1066490adf1a3dbc4ee9d9c839961c3fc8a6997af/pip-26.0.1-py3-none-any.whl", hash = "sha256:bdb1b08f4274833d62c1aa29e20907365a2ceb950410df15fc9521bad440122b", size = 1787723 },
+    { url = "https://files.pythonhosted.org/packages/3a/eb/fea4d1d51c49832120f7f285d07306db3960f423a2612c6057caf3e8196f/pip-26.1.1-py3-none-any.whl", hash = "sha256:99cb1c2899893b075ff56e4ed0af55669a955b49ad7fb8d8603ecdaf4ed653fb", size = 1812777 },
 ]
 
 [[package]]
@@ -2120,11 +2122,11 @@ wheels = [
 
 [[package]]
 name = "python-multipart"
-version = "0.0.26"
+version = "0.0.28"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/88/71/b145a380824a960ebd60e1014256dbb7d2253f2316ff2d73dfd8928ec2c3/python_multipart-0.0.26.tar.gz", hash = "sha256:08fadc45918cd615e26846437f50c5d6d23304da32c341f289a617127b081f17", size = 43501 }
+sdist = { url = "https://files.pythonhosted.org/packages/82/54/a85eb421fbdd5007bc5af39d0f4ed9fa609e0fedbfdc2adcf0b34526870e/python_multipart-0.0.28.tar.gz", hash = "sha256:8550da197eac0f7ab748961fc9509b999fa2662ea25cef857f05249f6893c0f8", size = 45314 }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/9a/22/f1925cdda983ab66fc8ec6ec8014b959262747e58bdca26a4e3d1da29d56/python_multipart-0.0.26-py3-none-any.whl", hash = "sha256:c0b169f8c4484c13b0dcf2ef0ec3a4adb255c4b7d18d8e420477d2b1dd03f185", size = 28847 },
+    { url = "https://files.pythonhosted.org/packages/f3/a2/43bbc5860b5034e2af4ef99a0e04d726ff329c43e192ef3abaa8d7ecfce5/python_multipart-0.0.28-py3-none-any.whl", hash = "sha256:10faac07eb966c3f48dc415f9dee46c04cb10d58d30a35677db8027c825ed9b6", size = 29438 },
 ]
 
 [[package]]
@@ -2585,11 +2587,11 @@ wheels = [
 
 [[package]]
 name = "urllib3"
-version = "2.6.3"
+version = "2.7.0"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed", size = 435556 }
+sdist = { url = "https://files.pythonhosted.org/packages/53/0c/06f8b233b8fd13b9e5ee11424ef85419ba0d8ba0b3138bf360be2ff56953/urllib3-2.7.0.tar.gz", hash = "sha256:231e0ec3b63ceb14667c67be60f2f2c40a518cb38b03af60abc813da26505f4c", size = 433602 }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/39/08/aaaad47bc4e9dc8c725e68f9d04865dbcb2052843ff09c97b08904852d84/urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4", size = 131584 },
+    { url = "https://files.pythonhosted.org/packages/7f/3e/5db95bcf282c52709639744ca2a8b149baccf648e39c8cc87553df9eae0c/urllib3-2.7.0-py3-none-any.whl", hash = "sha256:9fb4c81ebbb1ce9531cce37674bbc6f1360472bc18ca9a553ede278ef7276897", size = 131087 },
 ]
 
 [[package]]