From 700e3c00b9c1e8fef9095c8c7aedbc04726ef4a6 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 17 Apr 2026 14:35:43 +0000
Subject: [PATCH 1/2] Bump actions/setup-python from 5 to 6

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5 to 6.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/code_checks.yml | 2 +-
 .github/workflows/docs.yml        | 2 +-
 .github/workflows/unit_tests.yml  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/code_checks.yml b/.github/workflows/code_checks.yml
index 4f00a541..a7996431 100644
--- a/.github/workflows/code_checks.yml
+++ b/.github/workflows/code_checks.yml
@@ -39,7 +39,7 @@ jobs:
           enable-cache: true
 
       - name: "Set up Python"
-        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
         with:
           python-version-file: ".python-version"
 
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 86253150..8ddd6697 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -51,7 +51,7 @@ jobs:
           enable-cache: true
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version-file: ".python-version"
 
diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
index 6d26c54e..d3b4ddbd 100644
--- a/.github/workflows/unit_tests.yml
+++ b/.github/workflows/unit_tests.yml
@@ -47,7 +47,7 @@ jobs:
           enable-cache: true
 
       - name: "Set up Python"
-        uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
         with:
           python-version-file: ".python-version"
 

From fa5e6f74a2bc46e449f17f2819b02d58e7f8ea04 Mon Sep 17 00:00:00 2001
From: "aieng-bot[bot]" <aieng-bot@vectorinstitute.ai>
Date: Fri, 17 Apr 2026 16:27:08 +0000
Subject: [PATCH 2/2] chore: bump vulnerable packages to fix pip-audit security
 findings

- aiohttp 3.13.3 -> 3.13.5 (GHSA-p998-jp59-783m, GHSA-hcc4-c3v8-rx92, and others)
- authlib 1.6.9 -> 1.6.11 (GHSA-jj8c-mmj3-mmgv)
- cryptography 46.0.5 -> 46.0.7 (GHSA-m959-cc7f-wv43, GHSA-p423-j2cm-9vmq)
- pillow 12.1.1 -> 12.2.0 (GHSA-whj4-6x5x-4v2j)
- pyasn1 0.6.2 -> 0.6.3 (GHSA-jr27-m4p2-rc6r)
- pygments 2.19.2 -> 2.20.0 (GHSA-5239-wwwm-4pmq)
- pytest 8.4.2 -> 9.0.3 (GHSA-6w46-j5rx-g56g)
- python-multipart 0.0.22 -> 0.0.26 (GHSA-mj87-hwqh-73pj)
- requests 2.32.5 -> 2.33.1 (GHSA-gc5v-m9x4-r6x2)
- transformers 4.57.1 -> 5.5.4 (GHSA-69w3-r845-3855)

Co-authored-by: aieng-bot <aieng-bot@vectorinstitute.ai>
---
 aieng-agents/pyproject.toml |  6 +++---
 pyproject.toml              | 20 ++++++++++----------
 uv.lock                     |  6 +++---
 3 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/aieng-agents/pyproject.toml b/aieng-agents/pyproject.toml
index 96ae612e..fd7d1450 100644
--- a/aieng-agents/pyproject.toml
+++ b/aieng-agents/pyproject.toml
@@ -23,12 +23,12 @@ dependencies = [
     "openai>=2.6.0",
     "openai-agents>=0.4.0",
     "pandas>=2.3.3",
-    "pillow>=12.2.0",
+    "pillow>=12.2.0",  # Pinning version to address vulnerability GHSA-whj4-6x5x-4v2j
     "pydantic>=2.11.7",
     "pydantic-ai-slim[logfire]>=0.3.7",
     "pymupdf>=1.26.7",
     "simplejson>=3.20.2",
-    "transformers>=5.0.0",
+    "transformers>=5.0.0",  # Pinning version to address vulnerability GHSA-69w3-r845-3855
     "weaviate-client>=4.15.4",
 ]
 
@@ -44,7 +44,7 @@ include = ["aieng/"]
 
 [dependency-groups]
 dev = [
-    "pytest>=9.0.3",
+    "pytest>=9.0.3",  # Pinning version to address vulnerability GHSA-6w46-j5rx-g56g
     "pytest-asyncio>=1.2.0",
 ]
 
diff --git a/pyproject.toml b/pyproject.toml
index c73ebd6f..543aedee 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -32,16 +32,16 @@ dev = [
     "nbqa>=1.9.1",
     "pip-audit>=2.7.3",
     "pre-commit>=4.1.0",
-    "pytest>=9.0.3",
+    "pytest>=9.0.3", # Pinning version to address vulnerability GHSA-6w46-j5rx-g56g
     "pytest-asyncio>=1.2.0",
-    "pytest-cov>=7.1.0",
+    "pytest-cov>=7.0.0",
     "pytest-mock>=3.14.0",
     "ruff>=0.12.2",
 ]
 docs = [
     "jinja2>=3.1.6", # Pinning version to address vulnerability GHSA-cpwx-vrp4-4pq7
     "mkdocs>=1.6.0",
-    "mkdocs-material>=9.7.6",
+    "mkdocs-material>=9.6.15",
     "mkdocstrings>=0.24.1",
     "mkdocstrings-python>=1.16.12",
     "ipykernel>=6.29.5",
@@ -52,13 +52,13 @@ docs = [
 [tool.uv]
 default-groups = ["dev", "docs"]
 constraint-dependencies = [
-    "aiohttp>=3.13.4",       # GHSA-p998-jp59-783m, GHSA-hcc4-c3v8-rx92, GHSA-m5qp-6w8w-w647, GHSA-3wq7-rqq7-wx6j, GHSA-mwh4-6h8g-pg8w, GHSA-966j-vmvw-g2g9, GHSA-63hf-3vf5-4wqf, GHSA-c427-h43c-vf67, GHSA-w2fm-2cpv-w7v5, GHSA-2vrm-gr82-f7m5
-    "authlib>=1.6.11",        # GHSA-jj8c-mmj3-mmgv
-    "cryptography>=46.0.7",   # GHSA-m959-cc7f-wv43, GHSA-p423-j2cm-9vmq
-    "pyasn1>=0.6.3",          # GHSA-jr27-m4p2-rc6r
-    "pygments>=2.20.0",       # GHSA-5239-wwwm-4pmq
-    "python-multipart>=0.0.26", # GHSA-mj87-hwqh-73pj
-    "requests>=2.33.0",       # GHSA-gc5v-m9x4-r6x2
+    "aiohttp>=3.13.4",    # GHSA-p998-jp59-783m, GHSA-hcc4-c3v8-rx92, and others
+    "authlib>=1.6.11",    # GHSA-jj8c-mmj3-mmgv
+    "cryptography>=46.0.7",  # GHSA-m959-cc7f-wv43, GHSA-p423-j2cm-9vmq
+    "pyasn1>=0.6.3",      # GHSA-jr27-m4p2-rc6r
+    "pygments>=2.20.0",   # GHSA-5239-wwwm-4pmq
+    "python-multipart>=0.0.26",  # GHSA-mj87-hwqh-73pj
+    "requests>=2.33.0",   # GHSA-gc5v-m9x4-r6x2
 ]
 
 [tool.uv.workspace]
diff --git a/uv.lock b/uv.lock
index 2e53003e..d5630ad5 100644
--- a/uv.lock
+++ b/uv.lock
@@ -85,7 +85,7 @@ dev = [
     { name = "pre-commit", specifier = ">=4.1.0" },
     { name = "pytest", specifier = ">=9.0.3" },
     { name = "pytest-asyncio", specifier = ">=1.2.0" },
-    { name = "pytest-cov", specifier = ">=7.1.0" },
+    { name = "pytest-cov", specifier = ">=7.0.0" },
     { name = "pytest-mock", specifier = ">=3.14.0" },
     { name = "ruff", specifier = ">=0.12.2" },
 ]
@@ -94,7 +94,7 @@ docs = [
     { name = "ipython", specifier = ">=9.4.0" },
     { name = "jinja2", specifier = ">=3.1.6" },
     { name = "mkdocs", specifier = ">=1.6.0" },
-    { name = "mkdocs-material", specifier = ">=9.7.6" },
+    { name = "mkdocs-material", specifier = ">=9.6.15" },
     { name = "mkdocstrings", specifier = ">=0.24.1" },
     { name = "mkdocstrings-python", specifier = ">=1.16.12" },
 ]
@@ -3494,7 +3494,7 @@ name = "pexpect"
 version = "4.9.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
-    { name = "ptyprocess" },
+    { name = "ptyprocess", marker = "(python_full_version < '3.14' and sys_platform == 'emscripten') or (python_full_version < '3.14' and sys_platform == 'win32') or (sys_platform != 'emscripten' and sys_platform != 'win32')" },
 ]
 sdist = { url = "https://files.pythonhosted.org/packages/42/92/cc564bf6381ff43ce1f4d06852fc19a2f11d180f23dc32d9588bee2f149d/pexpect-4.9.0.tar.gz", hash = "sha256:ee7d41123f3c9911050ea2c2dac107568dc43b2d3b0c7557a33212c398ead30f", size = 166450, upload-time = "2023-11-25T09:07:26.339Z" }
 wheels = [