Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 8 additions & 6 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ license = "Apache-2.0"
requires-python = ">=3.12,<4.0"
dependencies = [
"aieng-eval-agents>=0.1.0",
"aiohttp>=3.14.0", # CVE-2026-34513/34514/34515/34516/34517/34518/34519/34520/34525, CVE-2026-22815: multiple DoS/security fixes in 3.13.4
"aiohttp>=3.14.1", # CVE-2026-34513/34514/34515/34516/34517/34518/34519/34520/34525, CVE-2026-22815: multiple DoS/security fixes in 3.13.4; CVE-2026-54273/54274/54275/54276/54277/54278/54279/54280: multiple DoS/security fixes in 3.14.1
"beautifulsoup4>=4.13.4",
"datasets>=3.6.0",
"e2b-code-interpreter>=2.4.1",
Expand All @@ -24,7 +24,7 @@ dependencies = [
"urllib3>=2.7.0", # CVE-2026-44431/44432: sensitive header forwarding and decompression bomb fixed in 2.7.0
"openpyxl>=3.1.5",
"authlib>=1.7.1", # CVE-2026-28802: alg:none JWT bypass fixed in 1.6.7; GHSA-jj8c-mmj3-mmgv: CSRF protection bypass fixed in 1.6.11
"cryptography>=46.0.7", # CVE-2026-34073: DNS name constraint bypass fixed in 46.0.6; CVE-2026-39892: buffer overflow fixed in 46.0.7
"cryptography>=48.0.1", # CVE-2026-34073: DNS name constraint bypass fixed in 46.0.6; CVE-2026-39892: buffer overflow fixed in 46.0.7; GHSA-537c-gmf6-5ccf: fixed in 48.0.1
"filelock>=3.20.3",
"pyasn1>=0.6.3", # CVE-2026-30922: DoS via uncontrolled recursion fixed in 0.6.3
"virtualenv>=20.36.1",
Expand All @@ -36,8 +36,8 @@ dependencies = [
"google-generativeai>=0.8.6",
"openai-agents>=0.7.0",
"pillow>=12.2.0", # CVE-2026-40192: FITS decompression bomb fixed in 12.2.0
"pypdf>=6.10.2", # CVE-2026-28804: ASCIIHexDecode DoS fixed in 6.7.5; CVE-2026-33123: array-based stream DoS fixed in 6.9.1; CVE-2026-40260: XMP metadata memory DoS fixed in 6.10.0; GHSA-jj6c-8h6c-hppx/GHSA-4pxv-j86v-mhcw/GHSA-7gw9-cf7v-778f/GHSA-x284-j5p8-9c5p: DoS via crafted PDFs fixed in 6.10.2
"python-multipart>=0.0.27", # CVE-2026-40347: multipart parsing DoS fixed in 0.0.26; CVE-2026-42561: part header parsing DoS fixed in 0.0.27
"pypdf>=6.13.0", # CVE-2026-28804: ASCIIHexDecode DoS fixed in 6.7.5; CVE-2026-33123: array-based stream DoS fixed in 6.9.1; CVE-2026-40260: XMP metadata memory DoS fixed in 6.10.0; GHSA-jj6c-8h6c-hppx/GHSA-4pxv-j86v-mhcw/GHSA-7gw9-cf7v-778f/GHSA-x284-j5p8-9c5p: DoS via crafted PDFs fixed in 6.10.2; CVE-2026-54530/54531: fixed in 6.13.0
"python-multipart>=0.0.31", # CVE-2026-40347: multipart parsing DoS fixed in 0.0.26; CVE-2026-42561: part header parsing DoS fixed in 0.0.27
"matplotlib>=3.10.9",
"kagglehub>=0.4.1,<1.0.1", # 1.0.1 needs kagglesdk.get_web_endpoint; removed in kagglesdk>=0.1.24
]
Expand Down Expand Up @@ -76,7 +76,7 @@ web-search = [
"google-cloud-firestore>=2.21.0",
"fastapi[standard]>=0.116.1",
"google-genai>=1.46.0",
"python-multipart>=0.0.27", # CVE-2026-40347: DoS via crafted multipart preamble/epilogue fixed in 0.0.26; CVE-2026-42561: part header parsing DoS fixed in 0.0.27
"python-multipart>=0.0.31", # CVE-2026-40347: DoS via crafted multipart preamble/epilogue fixed in 0.0.26; CVE-2026-42561: part header parsing DoS fixed in 0.0.27
"simplejson>=3.20.2",
]

Expand All @@ -90,8 +90,10 @@ override-dependencies = [
"mako>=1.3.12", # CVE-2026-44307: path traversal on Windows via backslash fixed in 1.3.12
"mistune>=3.2.1", # CVE-2026-33079/CVE-2026-44897: ReDoS and heading ID XSS fixed in 3.2.1
"notebook>=7.5.6", # CVE-2026-40171: stored XSS allowing auth token theft fixed in 7.5.6
"starlette>=1.0.1", # PYSEC-2026-161/GHSA-86qp-5c8j-p5mr: missing Host header validation bypasses path-based security checks fixed in 1.0.1
"starlette>=1.3.1", # PYSEC-2026-161/GHSA-86qp-5c8j-p5mr: missing Host header validation bypasses path-based security checks fixed in 1.0.1; CVE-2026-54282/54283: fixed in 1.3.0/1.3.1
"urllib3>=2.7.0", # CVE-2026-44431/44432: sensitive header forwarding and decompression issues fixed in 2.7.0; aieng-platform-onboard pins 2.6.3
"bleach>=6.4.0", # GHSA-gj48-438w-jh9v/GHSA-8rfp-98v4-mmr6: fixed in 6.4.0
"tornado>=6.5.7", # GHSA-pw6j-qg29-8w7f: CurlAsyncHTTPClient credential leak fixed in 6.5.7
]

[tool.uv.workspace]
Expand Down
Loading