From a37a691a7165c633933b72dcc906718eeb9a5b88 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 17 Apr 2026 14:36:20 +0000
Subject: [PATCH 1/5] Bump ruff from 0.14.3 to 0.15.11

Bumps [ruff](https://github.com/astral-sh/ruff) from 0.14.3 to 0.15.11.
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/0.14.3...0.15.11)

---
updated-dependencies:
- dependency-name: ruff
  dependency-version: 0.15.11
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pyproject.toml | 2 +-
 uv.lock        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 2510232f..59cafd5c 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -36,7 +36,7 @@ dev = [
     "pytest-asyncio>=1.2.0",
     "pytest-cov>=7.0.0",
     "pytest-mock>=3.14.0",
-    "ruff>=0.12.2",
+    "ruff>=0.15.11",
 ]
 docs = [
     "jinja2>=3.1.6", # Pinning version to address vulnerability GHSA-cpwx-vrp4-4pq7
diff --git a/uv.lock b/uv.lock
index e65fd84e..9c46352e 100644
--- a/uv.lock
+++ b/uv.lock
@@ -87,7 +87,7 @@ dev = [
     { name = "pytest-asyncio", specifier = ">=1.2.0" },
     { name = "pytest-cov", specifier = ">=7.0.0" },
     { name = "pytest-mock", specifier = ">=3.14.0" },
-    { name = "ruff", specifier = ">=0.12.2" },
+    { name = "ruff", specifier = ">=0.15.11" },
 ]
 docs = [
     { name = "ipykernel", specifier = ">=6.29.5" },

From 810e3543319d8d7658be87aa3ad6e6a85cab5cb9 Mon Sep 17 00:00:00 2001
From: "aieng-bot[bot]" <aieng-bot@vectorinstitute.ai>
Date: Fri, 17 Apr 2026 16:28:17 +0000
Subject: [PATCH 2/5] chore: bump vulnerable dependencies to patched versions

Fix pip-audit security failures by updating direct and transitive dependencies:
- pillow: 12.1.1 -> 12.2.0 (GHSA-whj4-6x5x-4v2j)
- transformers: 4.54.1+ -> 5.0.0+ (GHSA-69w3-r845-3855; stable 5.5.4 resolved)
- pytest: 8.3.4+ -> 9.0.3+ (GHSA-6w46-j5rx-g56g)
- aiohttp: pin >= 3.13.4 (GHSA-p998-jp59-783m et al.)
- authlib: pin >= 1.6.11 (GHSA-jj8c-mmj3-mmgv)
- cryptography: pin >= 46.0.7 (GHSA-m959-cc7f-wv43, GHSA-p423-j2cm-9vmq)
- pyasn1: pin >= 0.6.3 (GHSA-jr27-m4p2-rc6r)
- python-multipart: pin >= 0.0.26 (GHSA-mj87-hwqh-73pj)
- requests: pin >= 2.33.0 (GHSA-gc5v-m9x4-r6x2)
- pygments: pin >= 2.20.0 (GHSA-5239-wwwm-4pmq)

Co-authored-by: aieng-bot <aieng-bot@vectorinstitute.ai>
---
 aieng-agents/pyproject.toml | 7 +++++++
 pyproject.toml              | 1 +
 uv.lock                     | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/aieng-agents/pyproject.toml b/aieng-agents/pyproject.toml
index 1403e4bb..b6e975fc 100644
--- a/aieng-agents/pyproject.toml
+++ b/aieng-agents/pyproject.toml
@@ -35,6 +35,13 @@ dependencies = [
     "simplejson>=3.20.2",
     "transformers>=5.1.0",  # Pinning version to address vulnerability GHSA-69w3-r845-3855
     "weaviate-client>=4.15.4",
+    # Security: pin transitive deps to patched versions
+    "aiohttp>=3.13.4", # GHSA-p998-jp59-783m et al.
+    "authlib>=1.6.11", # GHSA-jj8c-mmj3-mmgv
+    "cryptography>=46.0.7", # GHSA-m959-cc7f-wv43, GHSA-p423-j2cm-9vmq
+    "pyasn1>=0.6.3", # GHSA-jr27-m4p2-rc6r
+    "python-multipart>=0.0.26", # GHSA-mj87-hwqh-73pj
+    "requests>=2.33.0", # GHSA-gc5v-m9x4-r6x2
 ]
 
 [build-system]
diff --git a/pyproject.toml b/pyproject.toml
index 59cafd5c..0078efa2 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -40,6 +40,7 @@ dev = [
 ]
 docs = [
     "jinja2>=3.1.6", # Pinning version to address vulnerability GHSA-cpwx-vrp4-4pq7
+    "pygments>=2.20.0", # GHSA-5239-wwwm-4pmq
     "mkdocs>=1.6.0",
     "mkdocs-material>=9.6.15",
     "mkdocstrings>=0.24.1",
diff --git a/uv.lock b/uv.lock
index 9c46352e..9a9a2dd9 100644
--- a/uv.lock
+++ b/uv.lock
@@ -61,6 +61,7 @@ docs = [
     { name = "mkdocs-material" },
     { name = "mkdocstrings" },
     { name = "mkdocstrings-python" },
+    { name = "pygments" },
 ]
 
 [package.metadata]
@@ -97,6 +98,7 @@ docs = [
     { name = "mkdocs-material", specifier = ">=9.6.15" },
     { name = "mkdocstrings", specifier = ">=0.24.1" },
     { name = "mkdocstrings-python", specifier = ">=2.0.3" },
+    { name = "pygments", specifier = ">=2.20.0" },
 ]
 
 [[package]]
@@ -124,6 +126,7 @@ dependencies = [
     { name = "openai-agents" },
     { name = "pandas" },
     { name = "pillow" },
+    { name = "pyasn1" },
     { name = "pydantic" },
     { name = "pydantic-ai-slim", extra = ["logfire"] },
     { name = "pymupdf" },
@@ -162,6 +165,7 @@ requires-dist = [
     { name = "openai-agents", specifier = ">=0.4.0" },
     { name = "pandas", specifier = ">=2.3.3" },
     { name = "pillow", specifier = ">=12.2.0" },
+    { name = "pyasn1", specifier = ">=0.6.3" },
     { name = "pydantic", specifier = ">=2.11.7" },
     { name = "pydantic-ai-slim", extras = ["logfire"], specifier = ">=0.3.7" },
     { name = "pymupdf", specifier = ">=1.26.7" },

From 39964d01693d939551e733267dac782f798e00cc Mon Sep 17 00:00:00 2001
From: "aieng-bot[bot]" <aieng-bot@vectorinstitute.ai>
Date: Fri, 17 Apr 2026 17:04:10 +0000
Subject: [PATCH 3/5] ci: trigger code checks for security dependency updates

Co-authored-by: aieng-bot <aieng-bot@vectorinstitute.ai>
---
 pyproject.toml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pyproject.toml b/pyproject.toml
index 0078efa2..f780b991 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -138,3 +138,4 @@ markers = [
     [tool.coverage.run]
     source=["aieng-agents/aieng"]
     omit=["aieng-agents/aieng/tests/*", "tests/*", "*__init__.py"]
+

From 132d0dd9031fed035300deebba0b884b54a06c93 Mon Sep 17 00:00:00 2001
From: "aieng-bot[bot]" <aieng-bot@vectorinstitute.ai>
Date: Fri, 17 Apr 2026 17:18:35 +0000
Subject: [PATCH 4/5] fix: remove trailing blank line from pyproject.toml

Co-authored-by: aieng-bot <aieng-bot@vectorinstitute.ai>
---
 pyproject.toml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index f780b991..0078efa2 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -138,4 +138,3 @@ markers = [
     [tool.coverage.run]
     source=["aieng-agents/aieng"]
     omit=["aieng-agents/aieng/tests/*", "tests/*", "*__init__.py"]
-

From 3ac809828790570b7446734e63c4403492eed758 Mon Sep 17 00:00:00 2001
From: "aieng-bot[bot]" <aieng-bot@vectorinstitute.ai>
Date: Fri, 17 Apr 2026 17:20:52 +0000
Subject: [PATCH 5/5] fix: resolve duplicate security pins in aieng-agents
 dependencies

Remove duplicate transitive dependency entries introduced during
rebase conflict resolution. Add pyasn1>=0.6.3 explicitly to address
GHSA-jr27-m4p2-rc6r.

Co-authored-by: aieng-bot <aieng-bot@vectorinstitute.ai>
---
 aieng-agents/pyproject.toml | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/aieng-agents/pyproject.toml b/aieng-agents/pyproject.toml
index b6e975fc..ba7c4ca4 100644
--- a/aieng-agents/pyproject.toml
+++ b/aieng-agents/pyproject.toml
@@ -30,18 +30,12 @@ dependencies = [
     "pydantic>=2.11.7",
     "pydantic-ai-slim[logfire]>=0.3.7",
     "pymupdf>=1.26.7",
+    "pyasn1>=0.6.3", # Pinning version to address vulnerability GHSA-jr27-m4p2-rc6r
     "python-multipart>=0.0.26", # Pinning version to address vulnerability GHSA-mj87-hwqh-73pj
     "requests>=2.33.0", # Pinning version to address vulnerability GHSA-gc5v-m9x4-r6x2
     "simplejson>=3.20.2",
     "transformers>=5.1.0",  # Pinning version to address vulnerability GHSA-69w3-r845-3855
     "weaviate-client>=4.15.4",
-    # Security: pin transitive deps to patched versions
-    "aiohttp>=3.13.4", # GHSA-p998-jp59-783m et al.
-    "authlib>=1.6.11", # GHSA-jj8c-mmj3-mmgv
-    "cryptography>=46.0.7", # GHSA-m959-cc7f-wv43, GHSA-p423-j2cm-9vmq
-    "pyasn1>=0.6.3", # GHSA-jr27-m4p2-rc6r
-    "python-multipart>=0.0.26", # GHSA-mj87-hwqh-73pj
-    "requests>=2.33.0", # GHSA-gc5v-m9x4-r6x2
 ]
 
 [build-system]