Latest Results
chore(deps): Resolve Dependabot security alerts (#6226)
Bump vulnerable dependencies across Python and Rust to resolve 13 of 17
open Dependabot alerts.
- **Python transitive deps** (via `uv lock --upgrade-package`):
cryptography 45.0.6→46.0.5, protobuf 5.29.5→5.29.6, pyasn1 0.6.1→0.6.2,
urllib3 2.5.0→2.6.3, werkzeug 3.1.3→3.1.5, python-multipart
0.0.20→0.0.22, nbconvert 7.16.6→7.17.0
- **Pillow** 11.0.0→12.1.1: removed `mkdocs-material[imaging]` extra
from docs deps to avoid its `pillow<12.0` cap. Image optimization for
docs builds is non-critical; re-add when mkdocs-material supports Pillow
12+.
- **Rust transitive deps** (via `cargo update`): time 0.3.44→0.3.47,
bytes 1.11.0→1.11.1, oneshot 0.1.11→0.1.13
Remaining 4 alerts are blocked: vllm 0.14.1 requires torch 2.9.1 +
numpy≥2.0 (too invasive), jsonwebtoken is held back by
google-cloud-auth's constraints, and diskcache has no patched version.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Active Branches
#62310%
#6227-13%
#62280%
© 2026 CodSpeed Technology