Upgrade Python deps via uv sync --upgrade (werkzeug, filelock for py>=3.10,
and others). Run npm audit fix across JS test fixtures to patch minimatch
and rollup vulnerabilities.
Remaining unfixable:
- filelock <3.20.3 for py<3.10 (patched version requires py>=3.10)
- serialize-javascript in mocha ^10 (fix requires mocha 11 breaking change)
Resolve 12 Dependabot security alerts by constraining vulnerable packages
to Python 3.10+ where patches are available:
Python dependencies:
- filelock: Pin <3.20.3 for Python 3.9, >=3.20.3 for Python 3.10+
(fixes TOCTOU symlink vulnerabilities CVE-2024-XXXXX)
- tensorflow: Only install on Python 3.10+ (brings keras >=3.12.1, pillow >=12.1.1)
(fixes 8 high-severity keras vulnerabilities including arbitrary code execution,
directory traversal, and 1 high-severity pillow out-of-bounds write)
JavaScript dependencies:
- vitest: Update to latest (4.0.18) in test fixture directory
(fixes moderate-severity esbuild SSRF vulnerability GHSA-67mh-4wv8-2f99)
Python 3.9 notes:
- filelock 3.19.1 has known TOCTOU vulnerabilities (medium severity)
- tensorflow/keras/pillow excluded from Python 3.9 test dependencies
- Python 3.9 reached EOL in October 2025, vulnerabilities are expected
All high-severity vulnerabilities are resolved for Python 3.10+.
Python 3.9 users should upgrade to 3.10+ for full security patches.
