fix: bump dep minimums to resolve stale zipp transitive

[ryanmcmillan]

Summary

Snyk still flags zipp@3.15.0 because apscheduler and pydantic resolve to old versions that pull importlib-metadata → zipp<3.19.1.

Bumps:

• apscheduler>=3.10.0 → >=3.11.0
• pydantic>=2.0.0 → >=2.5.3

Modern versions of these packages on Python 3.9+ use stdlib importlib.metadata and don't need the zipp transitive at all.

[greptile-apps]

Greptile Summary

This PR raises the minimum version floors for apscheduler (>=3.10.0 → >=3.11.0) and pydantic (>=2.0.0 → >=2.5.3) in backend/requirements.txt to prevent dependency resolvers from selecting old versions that transitively pull in a vulnerable zipp@3.15.0 via importlib_metadata. Both target versions are confirmed to exist on PyPI, and APScheduler 3.11.0 notably replaced pkg_resources with stdlib importlib.metadata, which is the concrete change that eliminates the importlib_metadata → zipp transitive chain.

• apscheduler 3.11.0 (released Nov 24, 2024) swapped pkg_resources for stdlib importlib.metadata, removing the backport dependency that chains to zipp.
• pydantic 2.5.3 (released Dec 22, 2023) is a conservative bump that ensures older 2.0.x–2.4.x versions (which conditionally depend on the importlib_metadata backport for Python < 3.10) cannot be selected.
• The existing zipp>=3.19.1 explicit pin is kept as a safety net for any other packages that may still pull the backport.
• No lock file (requirements.lock / pip freeze output) is included alongside the changes, so the exact resolved tree isn't pinned — the bounds prevent vulnerable resolutions but do not guarantee a specific safe set of versions.

Confidence Score: 4/5

• Safe to merge — minimal-risk version floor bumps that eliminate a known vulnerable transitive dependency.
• Both bumped versions (apscheduler 3.11.0, pydantic 2.5.3) are confirmed to exist on PyPI and are minor-version increments within the same major release series, making breaking changes unlikely. The APScheduler changelog explicitly confirms that 3.11.0 replaced pkg_resources with stdlib importlib.metadata, validating the PR's rationale. The zipp>=3.19.1 explicit pin is correctly retained. The only uncertainty is the absence of a lock file, meaning the resolver could still theoretically produce a vulnerable tree if another undeclared transitive path to old zipp exists, but the explicit zipp floor pin mitigates this.
• No files require special attention — the single-file change is straightforward and well-reasoned.

Important Files Changed

Filename	Overview
backend/requirements.txt	Bumps apscheduler minimum from 3.10.0 to 3.11.0 and pydantic minimum from 2.0.0 to 2.5.3 to prevent the resolver from picking older versions that transitively pull in a vulnerable zipp via importlib_metadata; the zipp>=3.19.1 safety pin is correctly retained.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[requirements.txt] --> B[apscheduler >= 3.11.0]
    A --> C[pydantic >= 2.5.3]
    A --> D[zipp >= 3.19.1\nexplicit pin]

    subgraph OLD["Before (apscheduler 3.10.x / pydantic 2.0.x)"]
        B1[apscheduler 3.10.x] --> E1[pkg_resources / importlib_metadata backport]
        C1[pydantic 2.0.x–2.4.x] --> F1["importlib_metadata backport\n(Python < 3.10)"]
        E1 --> G1["zipp @ 3.15.0 ⚠️ Snyk CVE"]
        F1 --> G1
    end

    subgraph NEW["After (apscheduler 3.11.0 / pydantic 2.5.3)"]
        B2[apscheduler 3.11.0] --> E2["stdlib importlib.metadata\n(no backport needed)"]
        C2[pydantic 2.5.3] --> F2["stdlib importlib.metadata\n(Python 3.9+)"]
        E2 --> G2["No zipp transitive ✅"]
        F2 --> G2
    end

Loading

_{Last reviewed commit: "fix: bump apschedule..."}