Wave 6a.0: dep-sweep — close 33 CVE alerts + absorb 6 Dependabot PRs

[mcp-tool-shop]

Summary

Foundation-layer mini-wave that bumps 14 packages in uv.lock to close 33 GitHub Security advisories before Wave 6a's per-domain agents dispatch. Ships sequentially (not in parallel with Wave 6a) so the auth-polish agents have a stable dep target — httpx / middleware-adjacent version drift is the canonical risk the wave was carved out to prevent.

• 33 CVEs closed via patch / minor / one major bump
• 3 CVEs deferred to v1.4 with explicit upstream-blocker rationale
• 1 CVE dismissed (no upstream patch)
• Auth-middleware regression set INTACT (23 passed, 3 skipped)
• Full pytest suite preserved at baseline (1981 passed, 6 skipped)
• Drift gate green; ruff + mypy green

Per-CVE table

Tier 1 — High-severity (6 packages, 14 CVEs closed)

Package	Before	After	CVEs
urllib3	2.6.3	2.7.0	CVE-2026-44431, CVE-2026-44432
python-multipart	0.0.22	0.0.29	CVE-2026-42561, CVE-2026-40347
GitPython	3.1.46	3.1.50	CVE-2026-42284, CVE-2026-42215, CVE-2026-44243, CVE-2026-44244, plus GHSA-only alert #57
PyJWT	2.11.0	2.13.0	CVE-2026-32597 (see PyJWT note below)
pillow	12.1.1	12.2.0	CVE-2026-40192, CVE-2026-42311, CVE-2026-42308, CVE-2026-42309, CVE-2026-42310
diffusers	0.36.0	0.37.1	PARTIAL — 0.38.0 patched version requires safetensors>=0.8.0rc0 (pre-release); see deferred list

PyJWT note: CVE-2026-32597 affects the [security] extra's JWTManager helper in ui_security.py. That helper is a separate optional layer never reached by the v1.2.0 auth middleware that closed GHSA-f65r-h4g3-3h9h (ui_app/auth.py uses stdlib hmac, not jwt). The bump still ships because operators who import JWTManager directly are on the user-facing path.

Tier 2 — Medium / Low (8 packages, 19 CVEs closed)

Package	Before	After	CVEs
aiohttp	3.13.3	3.13.5	CVE-2026-22815, -34513..-34520, -34525 (10 total)
cryptography	46.0.5	48.0.0	CVE-2026-34073, CVE-2026-39892
Pygments	2.19.2	2.20.0	CVE-2026-4539
idna	3.11	3.16	CVE-2026-45409
pip	26.0.1	26.1.1	CVE-2026-3219, CVE-2026-6357
pytest	9.0.2	9.0.3	CVE-2025-71176
python-dotenv	1.2.1	1.2.2	CVE-2026-28684
requests	2.32.5	2.34.2	CVE-2026-25645

Deferred to v1.4 (upstream blockers — 3 CVEs)

Package	Held at	Target	Reason
diffusers	0.37.1	0.38.0	Patched 0.38.0 depends on safetensors>=0.8.0rc0 (pre-release). Mitigation: transitive via unsloth, not imported by backpropagate/**/*.py — no reachable codepath into vulnerable image-decode functions. Will close when safetensors 0.8.0 GA lands or unsloth loosens its safetensors floor. Affects CVE-2026-44513, CVE-2026-45804.
transformers	4.57.6	5.0.0rc3	Patched version is a pre-release; declining to enable pre-releases for a security bump. transformers IS a direct dependency, so the codepath argument does not apply — held only on the major-version compat work that 5.0 would require across trainer.py + datasets.py. Affects CVE-2026-1839.

Dismissed (1 CVE — no upstream patch)

Package	Version	CVE	Reason
diskcache	5.6.3	CVE-2025-69872	Advisory has no first_patched_version; no newer release exists on PyPI. Transitive via llama-cpp-python (only pulled in by [export] extra) and not imported by backpropagate/**/*.py. Will close automatically when upstream ships a fix.

Dependabot PR triage

All 6 open dependabot/uv/* PRs are Option A — absorb. Sweep's uv lock --upgrade-package covers each one against a single, freshly-resolved baseline; merging them individually would have produced 6 round-trips of lockfile churn. Each will be closed-with-comment naming this PR after it merges.

PR	Package	Verdict
#97	idna 3.11 → 3.15	absorbed (this PR bumps to 3.16)
#98	pip 26.0.1 → 26.1	absorbed (this PR bumps to 26.1.1)
#99	urllib3 2.6.3 → 2.7.0	absorbed
#100	diffusers 0.36.0 → 0.38.0	absorbed-partial (this PR bumps to 0.37.1; see deferred list for the 0.38.0 blocker)
#101	python-multipart 0.0.22 → 0.0.27	absorbed (this PR bumps to 0.0.29)
#102	gitpython 3.1.46 → 3.1.50	absorbed

Out-of-scope Dependabot PRs (left for Wave 6a per-domain agents): #96 (actions group), #75 (docker python), #76-78 (site/* npm).

Verify chain

ruff check .                                            PASS
python -m mypy backpropagate/                           Success: no issues found in 40 source files
python -m pytest tests/test_auth_middleware.py -q       23 passed, 3 skipped (INTACT — load-bearing pin)
python -m pytest -q                                     1981 passed, 6 skipped (baseline preserved)
python scripts/check_doc_drift.py                       Drift check passed: 0 items.

Notes for the coordinator

• Domain ownership respected: only uv.lock + CHANGELOG.md touched.
• CRLF doctrine respected: git ls-files --eol shows index keeps lf for both files; working-copy CRLF is the expected Windows checkout behaviour.
• The drift script (scripts/check_doc_drift.py) fired and passed — no env-var / CLI-flag / handbook drift introduced by the bumps.
• The 2 GHAS secret-scanning features that still require a one-time click at https://github.com/mcp-tool-shop-org/backpropagate/settings/security_analysis (push-protection + secret-scanning-validity-checks) are separate from this PR but worth surfacing for visibility — neither is in my domain to enable via gh api.

Test plan

• Tier 1 bumps applied via uv lock --upgrade-package <pkg>
• Tier 1: auth middleware regression set verified 23/3
• Tier 1: full pytest suite verified 1981/6
• Tier 2 bumps applied
• Tier 2: auth middleware regression set verified 23/3
• Tier 2: full pytest suite verified 1981/6
• ruff + mypy + drift-check green
• CHANGELOG Security entry added (operator-facing; closed / deferred / dismissed)
• Coordinator: merge → main; Wave 6a per-domain agents dispatch against fresh dep baseline

🤖 Generated with Claude Code