Skip to content

chore(security): Bump pygments and update npm security dependencies across projects#398

Open
a-klos wants to merge 12 commits into
mainfrom
consolidate-remaining-security-prs
Open

chore(security): Bump pygments and update npm security dependencies across projects#398
a-klos wants to merge 12 commits into
mainfrom
consolidate-remaining-security-prs

Conversation

@a-klos
Copy link
Copy Markdown
Member

@a-klos a-klos commented Jun 3, 2026

This pull request primarily updates dependencies across several Python and JavaScript project files to ensure compatibility and incorporate the latest features and fixes. The most significant changes are version bumps for core dependencies, including pytest, python-multipart, and several library-specific packages.

Dependency updates (Python):

  • Updated pytest to version ^9.0.3 in multiple pyproject.toml files to standardize testing across all Python projects. [1] [2] [3] [4] [5] [6]
  • Updated python-multipart to version ^0.0.30 in several libraries and services for improved multipart form handling. [1] [2] [3]
  • Updated langgraph-checkpoint to allow versions up to but not including 4.2.0 in rag-core-lib.
  • Updated fastmcp to version ^3.2.0 in mcp-server for new features and bug fixes.

Dependency updates (JavaScript):

  • Updated undici to version ^6.25.0 in package.json for HTTP client improvements.

dependabot Bot and others added 12 commits March 30, 2026 19:20
@dependabot
chore: bump pygments from 2.19.2 to 2.20.0 in /libs/admin-api-lib
a01db9a 
Bumps [pygments](https://github.com/pygments/pygments) from 2.19.2 to 2.20.0.
- [Release notes](https://github.com/pygments/pygments/releases)
- [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES)
- [Commits](pygments/pygments@2.19.2...2.20.0)

---
updated-dependencies:
- dependency-name: pygments
  dependency-version: 2.20.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore: bump pygments from 2.19.2 to 2.20.0 in /libs
a5956df 
Bumps [pygments](https://github.com/pygments/pygments) from 2.19.2 to 2.20.0.
- [Release notes](https://github.com/pygments/pygments/releases)
- [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES)
- [Commits](pygments/pygments@2.19.2...2.20.0)

---
updated-dependencies:
- dependency-name: pygments
  dependency-version: 2.20.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore: bump pygments from 2.19.2 to 2.20.0 in /services/admin-backend
63a8118 
Bumps [pygments](https://github.com/pygments/pygments) from 2.19.2 to 2.20.0.
- [Release notes](https://github.com/pygments/pygments/releases)
- [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES)
- [Commits](pygments/pygments@2.19.2...2.20.0)

---
updated-dependencies:
- dependency-name: pygments
  dependency-version: 2.20.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore: bump pygments from 2.19.2 to 2.20.0 in /services/mcp-server
2840cdb 
Bumps [pygments](https://github.com/pygments/pygments) from 2.19.2 to 2.20.0.
- [Release notes](https://github.com/pygments/pygments/releases)
- [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES)
- [Commits](pygments/pygments@2.19.2...2.20.0)

---
updated-dependencies:
- dependency-name: pygments
  dependency-version: 2.20.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore: bump the npm-security group across 2 directories with 16 updates
f82d42c 
Bumps the npm-security group with 10 updates in the /services/frontend directory:

| Package | From | To |
| --- | --- | --- |
| [axios](https://github.com/axios/axios) | `1.13.5` | `1.16.1` |
| [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.15` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.3.1` | `7.3.3` |
| [@babel/plugin-transform-modules-systemjs](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs) | `7.27.1` | `7.29.4` |
| [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `10.0.3` |
| [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `4.0.4` |
| [fast-uri](https://github.com/fastify/fast-uri) | `3.1.0` | `3.1.2` |
| [flatted](https://github.com/WebReflection/flatted) | `3.3.3` | `3.4.2` |
| [js-cookie](https://github.com/js-cookie/js-cookie) | `3.0.5` | `3.0.7` |
| [rollup](https://github.com/rollup/rollup) | `4.52.2` | `4.60.4` |

Bumps the npm-security group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [minimatch](https://github.com/isaacs/minimatch) | `10.1.2` | `removed` |
| [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `4.0.4` |
| [lodash](https://github.com/lodash/lodash) | `4.17.23` | `4.18.1` |
| [handlebars](https://github.com/handlebars-lang/handlebars.js) | `4.7.8` | `4.7.9` |
| [undici](https://github.com/nodejs/undici) | `6.23.0` | `6.25.0` |



Updates `axios` from 1.13.5 to 1.16.1
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.13.5...v1.16.1)

Updates `postcss` from 8.5.6 to 8.5.15
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.6...8.5.15)

Updates `vite` from 7.3.1 to 7.3.3
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v7.3.3/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.3.3/packages/vite)

Updates `@babel/plugin-transform-modules-systemjs` from 7.27.1 to 7.29.4
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.29.4/packages/babel-plugin-transform-modules-systemjs)

Updates `minimatch` from 3.1.2 to 10.0.3
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v3.1.2...v10.0.3)

Updates `picomatch` from 2.3.1 to 4.0.4
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...4.0.4)

Updates `fast-uri` from 3.1.0 to 3.1.2
- [Release notes](https://github.com/fastify/fast-uri/releases)
- [Commits](fastify/fast-uri@v3.1.0...v3.1.2)

Updates `flatted` from 3.3.3 to 3.4.2
- [Commits](WebReflection/flatted@v3.3.3...v3.4.2)

Updates `follow-redirects` from 1.15.11 to 1.16.0
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0)

Updates `js-cookie` from 3.0.5 to 3.0.7
- [Release notes](https://github.com/js-cookie/js-cookie/releases)
- [Commits](js-cookie/js-cookie@v3.0.5...v3.0.7)

Updates `rollup` from 4.52.2 to 4.60.4
- [Release notes](https://github.com/rollup/rollup/releases)
- [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md)
- [Commits](rollup/rollup@v4.52.2...v4.60.4)

Removes `minimatch`

Updates `picomatch` from 2.3.1 to 4.0.4
- [Release notes](https://github.com/micromatch/picomatch/releases)
- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/picomatch@2.3.1...4.0.4)

Updates `lodash` from 4.17.23 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.23...4.18.1)

Updates `handlebars` from 4.7.8 to 4.7.9
- [Release notes](https://github.com/handlebars-lang/handlebars.js/releases)
- [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md)
- [Commits](handlebars-lang/handlebars.js@v4.7.8...v4.7.9)

Updates `ip-address` from 10.1.0 to 10.2.0
- [Commits](https://github.com/beaugunderson/ip-address/commits)

Updates `tar` from 7.5.7 to 7.5.15
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.7...v7.5.15)

Updates `undici` from 6.23.0 to 6.25.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.23.0...v6.25.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.16.1
  dependency-type: direct:development
  dependency-group: npm-security
- dependency-name: postcss
  dependency-version: 8.5.15
  dependency-type: direct:development
  dependency-group: npm-security
- dependency-name: vite
  dependency-version: 7.3.3
  dependency-type: direct:development
  dependency-group: npm-security
- dependency-name: "@babel/plugin-transform-modules-systemjs"
  dependency-version: 7.29.4
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: minimatch
  dependency-version: 10.0.3
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: picomatch
  dependency-version: 4.0.4
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: fast-uri
  dependency-version: 3.1.2
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: follow-redirects
  dependency-version: 1.16.0
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: js-cookie
  dependency-version: 3.0.7
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: rollup
  dependency-version: 4.60.4
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: minimatch
  dependency-version:
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: picomatch
  dependency-version: 4.0.4
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: handlebars
  dependency-version: 4.7.9
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: tar
  dependency-version: 7.5.15
  dependency-type: indirect
  dependency-group: npm-security
- dependency-name: undici
  dependency-version: 6.25.0
  dependency-type: indirect
  dependency-group: npm-security
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore: bump the python-security group across 8 directories with 6 upd…
c7b492d 
…ates

---
updated-dependencies:
- dependency-name: fastmcp
  dependency-version: 3.2.0
  dependency-type: direct:production
  dependency-group: python-security
- dependency-name: pytest
  dependency-version: 9.0.3
  dependency-type: direct:development
  dependency-group: python-security
- dependency-name: cryptography
  dependency-version: 46.0.7
  dependency-type: indirect
  dependency-group: python-security
- dependency-name: aiohttp
  dependency-version: 3.13.4
  dependency-type: indirect
  dependency-group: python-security
- dependency-name: langchain-classic
  dependency-version: 1.0.7
  dependency-type: indirect
  dependency-group: python-security
- dependency-name: pytest
  dependency-version: 9.0.3
  dependency-type: direct:development
  dependency-group: python-security
- dependency-name: aiohttp
  dependency-version: 3.13.4
  dependency-type: indirect
  dependency-group: python-security
- dependency-name: cryptography
  dependency-version: 46.0.7
  dependency-type: indirect
  dependency-group: python-security
- dependency-name: aiohttp
  dependency-version: 3.13.4
  dependency-type: indirect
  dependency-group: python-security
- dependency-name: langchain-classic
  dependency-version: 1.0.7
  dependency-type: indirect
  dependency-group: python-security
- dependency-name: pytest
  dependency-version: 9.0.3
  dependency-type: direct:development
  dependency-group: python-security
- dependency-name: langchain-text-splitters
  dependency-version: 1.1.2
  dependency-type: indirect
  dependency-group: python-security
- dependency-name: aiohttp
  dependency-version: 3.13.4
  dependency-type: indirect
  dependency-group: python-security
- dependency-name: langchain-classic
  dependency-version: 1.0.7
  dependency-type: indirect
  dependency-group: python-security
- dependency-name: pytest
  dependency-version: 9.0.3
  dependency-type: direct:development
  dependency-group: python-security
- dependency-name: aiohttp
  dependency-version: 3.13.4
  dependency-type: indirect
  dependency-group: python-security
- dependency-name: pytest
  dependency-version: 9.0.3
  dependency-type: direct:development
  dependency-group: python-security
- dependency-name: pytest
  dependency-version: 9.0.3
  dependency-type: direct:development
  dependency-group: python-security
...

Signed-off-by: dependabot[bot] <support@github.com>
@a-klos
Merge remote-tracking branch 'origin/dependabot/pip/services/mcp-serv…
d319464 
…er/pygments-2.20.0' into consolidate-remaining-security-prs

# Conflicts:
#	services/mcp-server/poetry.lock
@a-klos
Merge remote-tracking branch 'origin/dependabot/pip/services/admin-ba…
b700edc 
…ckend/pygments-2.20.0' into consolidate-remaining-security-prs

# Conflicts:
#	services/admin-backend/poetry.lock
@a-klos
Merge remote-tracking branch 'origin/dependabot/pip/libs/pygments-2.2…
1a3c9cf 
…0.0' into consolidate-remaining-security-prs

# Conflicts:
#	libs/poetry.lock
@a-klos
Merge remote-tracking branch 'origin/dependabot/pip/libs/admin-api-li…
11399ad 
…b/pygments-2.20.0' into consolidate-remaining-security-prs

# Conflicts:
#	libs/admin-api-lib/poetry.lock
@a-klos
chore(security): refresh python dependency locks
3b2747e
@a-klos
Merge remote-tracking branch 'origin/dependabot/npm_and_yarn/services…
796300a 
…/frontend/npm-security-9e291bfa50' into consolidate-remaining-security-prs

# Conflicts:
#	package-lock.json
#	package.json
#	services/frontend/package-lock.json
#	services/frontend/package.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@a-klos