Skip to content

Fix all remaining dependency vulnerabilities#31

Merged
treo merged 3 commits into
mainfrom
fahreza/further-package-updates
Mar 12, 2026
Merged

Fix all remaining dependency vulnerabilities#31
treo merged 3 commits into
mainfrom
fahreza/further-package-updates

Conversation

@MFA-X-AI
Copy link
Copy Markdown
Member

@MFA-X-AI MFA-X-AI commented Mar 12, 2026

Ran a full dependency audit and found a bunch of vulnerabilities across both the Python and JS stacks. Decided to clean them all up in one go.

What this PR does:

  • Python side (32 vulns fixed): Bumped the minimum versions for aiohttp (→3.13.3), torch (→2.8.0), and transformers (→4.53.0) in pyproject.toml, then ran uv lock --upgrade to pull in fixed versions of all the transitive deps too — urllib3, filelock, starlette, pillow, protobuf, h11, and a handful of others.
  • pnpm side (25 vulns fixed): Most were resolved with a standard pnpm updatesvelte, @sveltejs/kit, storybook, and their transitive deps (minimatch, rollup, devalue, immutable) all came in clean. The last one was dompurify pulled in by mermaid, which needed a small override since mermaid hasn't updated its dependency range yet.

Both pip-audit and pnpm audit are now reporting zero vulnerabilities.

@treo treo merged commit f75d830 into main Mar 12, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MFA-X-AI @treo