fix: resolve 8 Snyk security findings in backend deps

[ryanmcmillan]

Summary

Bumps backend Python dependencies to resolve all 8 Snyk findings.

Critical/High

• h11 0.14.0 → ≥0.16.0 — HTTP Request Smuggling (CVSS 9.3)
• anyio 3.7.1 → ≥4.4.0 — Race Condition (CVSS 8.3)
• cryptography 42.0.0 → ≥46.0.5 — Insufficient Verification (CVSS 8.2)

Medium

• zipp 3.15.0 → ≥3.19.1 — Infinite Loop (CVSS 6.9)
• scikit-learn unpinned → ≥1.5.0 — Sensitive Data Storage (CVSS 5.3)

Low

• numpy 1.21.3 → ≥1.22.2 — Buffer Overflow, DoS, NULL Pointer Deref (3 findings)

Transitive deps (h11, anyio, zipp, numpy) are pinned explicitly to guarantee minimum safe versions.

[greptile-apps]

Greptile Summary

This PR addresses 8 Snyk security findings in the backend Python dependencies by raising minimum version floors on two direct deps (cryptography, scikit-learn) and explicitly pinning four transitive deps (h11, anyio, zipp, numpy) that were previously left to implicit resolution.

Key points:

• Critical/High fixes are correct: cryptography>=46.0.5 (CVSS 8.2), anyio>=4.4.0 (CVSS 8.3), and h11>=0.16.0 (CVSS 9.3) are the most impactful changes and are applied appropriately.
• anyio is a major version jump (3.x → 4.x): This is necessary for the security fix. The backend code does not directly import anyio, and fastapi>=0.109.0 uses a version of Starlette that is compatible with anyio 4.x, so no runtime breakage is expected.
• >= floors vs. exact pins: Using lower-bound constraints rather than exact pins is appropriate here given the absence of a lock file, as it allows compatible patch/minor upgrades while enforcing a safe minimum.
• httpx remains unpinned: This is the one gap — httpx is a direct dependency actively used in main.py (httpx.Client) but has no minimum version specified. Adding a floor (e.g., >=0.27.0) would make the security posture consistent across all declared dependencies.

Confidence Score: 4/5

• Safe to merge — all 8 Snyk findings are correctly addressed with no breaking changes expected.
• The version bumps are correct and well-justified. The only gap is that httpx remains unpinned, which is a pre-existing omission rather than a regression introduced by this PR. The backend code does not directly use any of the newly pinned transitive deps (anyio, h11, zipp, numpy), so the major version jump on anyio carries no direct API-breakage risk.
• No files require special attention beyond the noted httpx versioning gap.

Important Files Changed

Filename	Overview
backend/requirements.txt	Bumps cryptography and scikit-learn minimum versions, and adds explicit floor constraints for four transitive deps (h11, anyio, zipp, numpy) to resolve 8 Snyk findings; httpx remains unpinned despite being a direct dependency.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    subgraph Direct["Direct Dependencies (requirements.txt)"]
        fastapi["fastapi >=0.109.0"]
        uvicorn["uvicorn[standard] >=0.27.0"]
        httpx["httpx (unpinned)"]
        crypto["cryptography >=46.0.5 ✅"]
        sklearn["scikit-learn >=1.5.0 ✅"]
    end

    subgraph Transitive["Pinned Transitive Deps (newly added floors)"]
        h11["h11 >=0.16.0 ✅\nCVSS 9.3 - HTTP Request Smuggling"]
        anyio["anyio >=4.4.0 ✅\nCVSS 8.3 - Race Condition"]
        zipp["zipp >=3.19.1 ✅\nCVSS 6.9 - Infinite Loop"]
        numpy["numpy >=1.22.2 ✅\nCVSS ~5 - Buffer Overflow / DoS"]
    end

    fastapi -->|via starlette| anyio
    uvicorn -->|transport| h11
    httpx -->|transport| h11
    sklearn -->|numeric| numpy
    fastapi -->|used by| httpx
    uvicorn -->|async runtime| anyio
    zipp -.->|importlib-metadata| fastapi

Loading

_{Last reviewed commit: "fix: bump dependenci..."}

[greptile-apps]

httpx lacks a minimum version constraint

httpx is an active direct dependency (used in main.py via httpx.Client) but has no minimum version pinned. This is inconsistent with the rest of this PR's intent to enforce safe floors on all relevant packages.

While pip's global resolver will enforce h11>=0.16.0 regardless of what httpx requests internally, httpx itself has had security-relevant fixes across its release history. Adding a minimum version ensures reproducibility and avoids accidentally resolving to a very old release in constrained environments.

Consider adding a minimum version, e.g.:

Suggested change

	httpx
	httpx>=0.27.0