fix: bump dependencies to resolve Dependabot security alerts (#2130)

* fix: bump dependencies to resolve Dependabot security alerts Python: - aiohttp: >=3.11.18 → >=3.13.4 (duplicate Host headers, header injection, redirect leak, multipart DoS) - cryptography: >=44.0.3 → >=46.0.7 (buffer overflow with non-contiguous buffers) - pillow: >=11.2.1 → >=12.2.0 (FITS GZIP decompression bomb, HIGH) - langchain-text-splitters: >=0.0.1 → >=1.1.2 (SSRF redirect bypass) - langchain-core: add >=1.2.28 (incomplete f-string validation) - langsmith: add >=0.7.31 (streaming token redaction bypass) - python-multipart: add >=0.0.26 (multipart DoS) - Mako: add >=1.3.11 (path traversal) - pytest: >=8.4.1 → >=9.0.3 (tmpdir handling) - uv: >=0.7.11 → >=0.11.6 (arbitrary file deletion) JavaScript (web/): - vite: ^8.0.3 → ^8.0.5 (fs.deny bypass, WebSocket file read, path traversal, HIGH) - axios: ^1.13.5 → ^1.15.0 (cloud metadata exfiltration) - lodash: ^4.17.23 → ^4.18.0 (code injection via _.template, prototype pollution, HIGH) * fix: update pnpm-lock.yaml for bumped dependencies
2026-06-02 03:55:55 +00:00 · 2026-04-17 11:43:03 +08:00
parent c8915ca964
commit aec2a30445
3 changed files with 1096 additions and 3077 deletions
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -8,7 +8,7 @@ requires-python = ">=3.11,<4.0"
 dependencies = [
    "aiocqhttp>=1.4.4",
    "aiofiles>=24.1.0",
-    "aiohttp>=3.11.18",
+    "aiohttp>=3.13.4",
    "aioshutil>=1.5",
    "aiosqlite>=0.21.0",
    "anthropic>=0.51.0",
@@ -16,7 +16,7 @@ dependencies = [
    "async-lru>=2.0.5",
    "certifi>=2025.4.26",
    "colorlog~=6.6.0",
-    "cryptography>=44.0.3",
+    "cryptography>=46.0.7",
    "dashscope>=1.25.10",
    "dingtalk-stream>=0.24.0",
    "discord-py>=2.5.2",
@@ -27,7 +27,7 @@ dependencies = [
    "nakuru-project-idk>=0.0.2.1",
    "ollama>=0.4.8",
    "openai>1.0.0",
-    "pillow>=11.2.1",
+    "pillow>=12.2.0",
    "psutil>=7.0.0",
    "pycryptodome>=3.22.0",
    "pydantic>2.0",
@@ -50,7 +50,7 @@ dependencies = [
    "pip>=25.1.1",
    "ruff>=0.11.9",
    "pre-commit>=4.2.0",
-    "uv>=0.7.11",
+    "uv>=0.11.6",
    "mypy>=1.16.0",
    "PyPDF2>=3.0.1",
    "python-docx>=1.1.0",
@@ -61,7 +61,11 @@ dependencies = [
    "ebooklib>=0.18",
    "html2text>=2024.2.26",
    "langchain>=0.2.0",
-    "langchain-text-splitters>=0.0.1",
+    "langchain-core>=1.2.28",
    "langsmith>=0.7.31",
    "python-multipart>=0.0.26",
    "Mako>=1.3.11",
    "langchain-text-splitters>=1.1.2",
    "chromadb>=1.0.0,<2.0.0",
    "qdrant-client (>=1.15.1,<2.0.0)",
    "pyseekdb==1.1.0.post3",
@@ -117,7 +121,7 @@ package-data = { "langbot" = ["templates/**", "pkg/provider/modelmgr/requesters/
 [dependency-groups]
 dev = [
    "pre-commit>=4.2.0",
-    "pytest>=8.4.1",
+    "pytest>=9.0.3",
    "pytest-asyncio>=1.0.0",
    "pytest-cov>=7.0.0",
    "ruff>=0.11.9",
--- a/web/package.json
+++ b/web/package.json
@@ -46,14 +46,14 @@
    "@tailwindcss/postcss": "^4.1.5",
    "@tanstack/react-table": "^8.21.3",
    "@vitejs/plugin-react": "^6.0.1",
-    "axios": "^1.13.5",
+    "axios": "^1.15.0",
    "class-variance-authority": "^0.7.1",
    "clsx": "^2.1.1",
    "highlight.js": "^11.11.1",
    "i18next": "^25.1.2",
    "i18next-browser-languagedetector": "^8.1.0",
    "input-otp": "^1.4.2",
-    "lodash": "^4.17.23",
+    "lodash": "^4.18.0",
    "lucide-react": "^0.507.0",
    "postcss": "^8.5.3",
    "qrcode": "^1.5.4",
@@ -76,7 +76,7 @@
    "tailwind-merge": "^3.2.0",
    "tailwindcss": "^4.1.5",
    "uuidjs": "^5.1.0",
-    "vite": "^8.0.3",
+    "vite": "^8.0.5",
    "zod": "^3.24.4"
  },
  "devDependencies": {
--- a/web/pnpm-lock.yaml
+++ b/web/pnpm-lock.yaml