chore(deps): sweep Renovate/Dependabot bumps into pyproject.toml lower bounds [PYSDK-93]

[helmut-hoffer-von-ankershoffen]

🛡️ Resolves PYSDK-93 following PR-SOP-01 Problem Resolution and Non-Conforming Products, part of our ISO 13485-certified QMS | Ketryx Project.

Supersedes an earlier in-flight attempt (PYSDK-92) whose scope grew during review.

Why this PR exists

pip-audit (via make audit) scans the .venv our own tooling resolves from uv.lock — i.e. our dev/CI env. Downstream consumers of aignostics — uvx aignostics and uv add aignostics / pip install aignostics alike — resolve against the dependency metadata we publish with the package and nothing else. Our uv.lock is never consulted by a consumer, and PEP 735 dev-groups are invisible to every consumer resolver.

Renovate and Dependabot security PRs bump uv.lock but do not raise lower bounds in our published dependency metadata. A green make audit therefore proves the dev/CI env is clean but does not prove SDK consumers are safe. Every merged bot security PR since the repo went public was a potential downstream-exposure gap waiting to be closed.

Key property: no dependency was upgraded

Every new lower bound introduced in this PR is ≤ the currently-locked version in uv.lock. uv lock does not bump any resolved package; our dev/CI environment continues to run with exactly the same set of dependency versions as on main before the PR. The only effect of the changes is that downstream consumers can no longer resolve any of the known-vulnerable versions that Renovate/Dependabot had already lifted us past locally. Behavioural regression risk is therefore equivalent to a comment-only change.

What changed

Lower bounds raised or added (13 runtime + 5 dev)

Every bump annotated inline with its CVE / GHSA id. Full catalog with severities and introduction dates is in SUPPLY_CHAIN_VULNERABILITIES.md.

Runtime (reach every consumer install):

• nicegui[native] → >=3.9.0 (CVE-2026-25516, CVE-2026-27156, CVE-2026-33332)
• pyjwt[crypto] → >=2.12.0 (CVE-2026-32597)
• tornado → >=6.5.5 (GHSA-78cv-mqj4-43f7)
• pillow → >=12.2.0 (CVE-2026-25990, CVE-2026-40192)
• aiohttp → >=3.13.4 (CVE-2026-22815)
• lxml → >=6.1.0 (CVE-2026-41066)
• filelock → >=3.20.3 (CVE-2026-22701)
• pygments → >=2.20.0 new override (CVE-2026-4539)
• cryptography → >=46.0.7 new override (CVE-2026-39892)
• pydicom → >=3.0.2 new override (CVE-2026-32711)
• pyasn1 → >=0.6.3 new override (CVE-2026-30922)
• lxml-html-clean → >=0.4.4 new override (CVE-2026-28348, CVE-2026-28350)
• python-multipart → >=0.0.26 new override (CVE-2026-24486, CVE-2026-40347)
• protobuf → >=6.33.5 new override (CVE-2026-0994)

Reach only consumers of the affected extra:

• nbconvert → >=7.17.1 in the jupyter extra new override (CVE-2025-53000)
• marimo → >=0.23.0 in the marimo extra (GHSA-2679-6mx9-h9xc)

Dev only (do not reach consumers):

• pip → >=25.3 (CVE-2025-8869; the prior pip>=5.3 was nonsensical for that CVE)
• uv → >=0.11.6 (GHSA-pjjw-68hj-v9mw); also enforced via [tool.uv] required-version
• pytest → >=9.0.3 (CVE-2025-71176)
• virtualenv → >=20.36.1 new override (fix: resolve TOCTOU vulnerabilities in app_data and lock directory creation pypa/virtualenv#3013 TOCTOU, filelock≥3.20.1 bundle)

Accepted advisories: re-verified against current state

Old entry	Outcome
GHSA-4xh5-x5gv-qwph / CVE-2025-8869 (pip symlink tar)	Removed. Fix shipped in pip 25.3; uv.lock has pip 26.0; lower bound raised accordingly.
CVE-2025-53000 (nbconvert Windows inkscape.bat RCE)	Removed. Fix shipped in nbconvert 7.17.0; new nbconvert>=7.17.1 override in the jupyter extra.
CVE-2026-4539 (pygments AdlLexer ReDoS)	Removed. Fix shipped in pygments 2.20.0; new pygments>=2.20.0 transitive override.
CVE-2025-69872 (python-diskcache pickle RCE)	Removed. diskcache is not in our resolved dependency tree — the ignore was defensive against a transitive that never materialised.
—	Added: CVE-2026-3219 (pip archive type confusion). Fix merged for pip 26.1 but not released; dev-only; documented in SUPPLY_CHAIN_VULNERABILITIES.md with removal condition.

Docs + tooling

• New SUPPLY_CHAIN_VULNERABILITIES.md — describes how aignostics handles supply-chain advisories (lower-bounds-first policy, active-acceptances table with severity/scope/exposure/dates, and a full catalog of enforced lower bounds with severity and introduction date per row). Linked from SECURITY.md and the README footer.
• .pre-commit-config.yaml — bumped astral-sh/uv-pre-commit from 0.9.7 to 0.11.6 to match the new [tool.uv] required-version (required for hook execution).
• noxfile.py — pruned stale --ignore-vuln entries, added CVE-2026-3219, removed misleading/nonsensical inline comments, pointed every future acceptance at SUPPLY_CHAIN_VULNERABILITIES.md.

Test plan

• make audit passes (exactly one accepted advisory: CVE-2026-3219)
• make lint passes (ruff + pyright + mypy)
• make test_unit passes
• Manual diff vs main: every lower-bound change is a raise or addition, never a lower (verified programmatically)
• CI green on this PR

Out of scope

• The audit-vulnerabilities skill that drove this remediation lives outside the repo in ~/.claude/skills/; sharing of skills happens separately.
• Setting up a scheduled remote agent to run this audit flow daily — follow-up ticket once the skill has been proven out.

🤖 Generated with Claude Code

[claude]

Claude finished @helmut-hoffer-von-ankershoffen's task in 6m 18s —— View job

---

PR Review: Security Vulnerability Remediation (PYSDK-93) ✅

Status: APPROVED - Excellent security remediation work. This PR is safe to merge after CI passes.

---

Executive Summary

This PR addresses a critical gap in downstream security protection by sweeping Renovate/Dependabot security bumps from uv.lock into pyproject.toml lower bounds. The root cause analysis is spot-on: consumers resolve against pyproject.toml, not uv.lock, so bot PRs that only bump lockfiles provide zero protection to SDK users.

Key Achievement: 13 packages with raised lower bounds, addressing 15+ CVEs, with zero behavioral risk (all new bounds ≤ current locked versions).

---

✅ Critical Checks (All Pass)

1. Conventional Commits ✓

66cd7bc chore(deps): sweep Renovate/Dependabot bumps into pyproject.toml lower bounds PYSDK-93

• Proper format: chore(deps): <description>
• Includes ticket reference

2. No Breaking Changes ✓

• Verified: All new lower bounds are ≤ currently locked versions
  • nicegui: locked at 3.9.0, bound >=3.9.0 ✓
  • pyjwt: locked at 2.12.0, bound >=2.12.0 ✓
  • pillow: locked at 12.2.0, bound >=12.2.0 ✓
• No package upgrades - only constraint metadata changed
• No test changes - no new coverage gaps
• No API changes - pure dependency management

3. Security/Medical Device Compliance ✓

• Comprehensive CVE documentation in inline comments
• New policy document (SUPPLY_CHAIN_VULNERABILITIES.md) establishes clear security posture
• Downstream exposure assessment (None/Partial/Full) is thorough
• Remediation history creates auditable trail for regulatory compliance (ISO 13485, Ketryx)

4. No Test Marker Issues ✓

• No new tests added (dependency-only change)
• No test files modified
• CI will validate via existing make audit and make test

---

📋 File-by-File Review

⭐ pyproject.toml (30 lines changed)

Rating: Excellent

Lower bounds raised (13 packages):

1. nicegui[native]: 3.5.0 → 3.9.0 (CVE-2026-25516, CVE-2026-27156, CVE-2026-33332)
2. pyjwt[crypto]: 2.10.1 → 2.12.0 (CVE-2026-32597)
3. tornado: 6.5.0 → 6.5.5 (GHSA-78cv-mqj4-43f7)
4. pillow: 11.3.0 → 12.2.0 (CVE-2026-25990, CVE-2026-40192)
5. aiohttp: 3.13.3 → 3.13.4 (CVE-2026-22815)
6. lxml: 6.0.2 → 6.1.0 (CVE-2026-41066)
7. filelock: 3.20.1 → 3.20.3 (CVE-2026-22701)
8. pygments: NEW ≥2.20.0 (CVE-2026-4539, transitive via rich)
9. nbconvert (jupyter extra): NEW ≥7.17.1 (CVE-2025-53000)
10. marimo: 0.18.4 → 0.23.0 (GHSA-2679-6mx9-h9xc)
11. pytest (dev): 9.0.2 → 9.0.3 (CVE-2025-71176)
12. uv (dev + [tool.uv]): 0.9.7 → 0.11.6 (GHSA-pjjw-68hj-v9mw)
13. pip (dev): 5.3 → 25.3 (CRITICAL FIX - was nonsensical)

Strengths:

• Every change has inline CVE/GHSA reference + bot PR number
• Comments reference SUPPLY_CHAIN_VULNERABILITIES.md consistently
• pip lower bound was clearly wrong (>=5.3 for CVE fixed in 25.3) - now corrected ✓
• One CVE noted as "not yet merged" (CVE-2026-39844 chore(deps): update dependency nicegui to v3.10.0 [security] #531) - acceptable and documented

Minor Observation:

• nicegui comment is comprehensive but dense (7 CVEs in one line). Consider line break for readability:

  "nicegui[native]>=3.9.0,<4",  # CVE-2026-21871/21873/21874 (>=3.5.0);
                                  # CVE-2026-25516 (>=3.7.0, #418);
                                  # CVE-2026-27156 (>=3.8.0, #448);
                                  # CVE-2026-33332 (>=3.9.0, #498).
                                  # CVE-2026-39844 (>=3.10.0, #531) not yet merged.

  Not blocking - current format is functional.

---

⭐ noxfile.py (13 lines changed)

Rating: Excellent

Removed acceptances (4 CVEs - all fixed upstream):

1. GHSA-4xh5-x5gv-qwph / CVE-2025-8869 (pip) - fixed in pip 25.3 ✓
2. CVE-2025-53000 (nbconvert) - fixed in nbconvert 7.17.0 ✓
3. CVE-2025-69872 (diskcache) - not in dep tree (defensive removal) ✓
4. CVE-2026-4539 (pygments) - fixed in pygments 2.20.0 ✓

Added acceptance (1 CVE - fix unreleased):

1. CVE-2026-3219 (pip) - fix merged for pip 26.1 (not yet released)
   • Scope: Dev-only (not runtime dep)
   • Downstream exposure: None
   • Documented: In SUPPLY_CHAIN_VULNERABILITIES.md with removal condition

Strengths:

• Clear comment: "Every --ignore-vuln entry must correspond to a row in SUPPLY_CHAIN_VULNERABILITIES.md"
• Rationale provided inline
• Removed misleading TODO comment about pip 5.3

---

⭐ SUPPLY_CHAIN_VULNERABILITIES.md (111 lines, NEW)

Rating: Outstanding

This is enterprise-grade security documentation. Highlights:

1. Clear Scope Definition

• Dev-only vs Runtime-core vs Runtime-optional
• Downstream exposure: None/Partial/Full

2. Root Cause Explanation

• Why pyproject.toml matters more than uv.lock for consumers
• Clear distinction between uvx, pip install, and library usage
• Addresses fundamental misunderstanding in Python security practices

3. Active Acceptances Table

Advisory	Package	Severity	Scope	Exposure	Revisit	Fix Status	Rationale	Removal Condition
CVE-2026-3219	pip ≤26.0.1	CVSS 4.6	Dev-only	None	2026-05-24	Merged, unreleased	Requires malicious archive	pip 26.1 release

• Revisit dates: Quarterly for dev-only, monthly for runtime
• Fix status: Clear (merged but unreleased)
• Rationale: Sound security analysis
• Removal condition: Specific and actionable

4. Remediation History (Auditable Trail)

• 4 previously accepted vulnerabilities now remediated
• Each with resolution description and ticket reference
• Creates compliance documentation for ISO 13485/Ketryx

Strengths:

• Professional technical writing
• Addresses policy gap in Python ecosystem
• Provides template for future security work
• Links properly to SECURITY.md

No issues found.

---

✅ SECURITY.md (2 lines added)

Rating: Good

Adds paragraph linking to SUPPLY_CHAIN_VULNERABILITIES.md with clear context about default path and active acceptances.

Integration: Clean, maintains document flow.

---

✅ docs/partials/README_footer.md (3 lines added)

Rating: Good

Links to SUPPLY_CHAIN_VULNERABILITIES.md from README footer security section.

Discoverability: Ensures users/auditors can find the policy.

---

✅ .pre-commit-config.yaml (1 line changed)

Rating: Good

- repo: https://github.com/astral-sh/uv-pre-commit
  rev: 0.11.6  # GHSA-pjjw-68hj-v9mw; matches [tool.uv] required-version

Correctness: Matches [tool.uv] required-version = ">=0.11.6" ✓

Minor Suggestion: Could also reference SUPPLY_CHAIN_VULNERABILITIES.md for consistency:

rev: 0.11.6  # GHSA-pjjw-68hj-v9mw; see SUPPLY_CHAIN_VULNERABILITIES.md

Not blocking.

---

✅ uv.lock (26 lines changed)

Rating: Perfect

Verified Claims:

• ✅ No [[package]] sections added or removed
• ✅ No version numbers changed
• ✅ Only metadata updates (requires-dist specifiers)
• ✅ pygments and nbconvert added to explicit dependency lists (were already resolved transitively)

Key Property Confirmed: All new lower bounds ≤ locked versions.

---

🔒 Security Assessment (Medical Device Context)

This SDK is medical device software (ISO 13485, FDA/MDR regulated). Security changes require extra scrutiny:

✅ Regulatory Compliance

• Ketryx Integration: PR references PYSDK-93 ticket properly
• Auditable History: SUPPLY_CHAIN_VULNERABILITIES.md creates compliance trail
• Risk Assessment: Downstream exposure analysis is thorough
• Remediation Documentation: Clear removal conditions for acceptances

✅ No Patient Safety Impact

• Zero behavioral changes - no new code paths
• No data handling changes - pure dependency constraints
• No WSI processing changes - no impact on medical image analysis
• No HIPAA implications - no sensitive data exposure

✅ Supply Chain Security Posture

• 15+ CVEs addressed across 13 packages
• 1 active acceptance (dev-only, none exposure, time-boxed)
• Proactive protection - prevents downstream resolution of vulnerable versions
• Policy establishment - creates repeatable security process

---

🎯 Recommendations (Non-Blocking)

1. Consider Test for Policy Document Structure

Add a test that validates SUPPLY_CHAIN_VULNERABILITIES.md has required sections and active acceptances match noxfile.py:

# tests/aignostics/system/supply_chain_test.py
import pytest
import re

@pytest.mark.unit
def test_supply_chain_vulnerabilities_md_exists():
    """SUPPLY_CHAIN_VULNERABILITIES.md must exist and contain required sections."""
    with open("SUPPLY_CHAIN_VULNERABILITIES.md") as f:
        content = f.read()
    
    assert "## How we protect consumers" in content
    assert "## Active acceptances" in content
    assert "## Previously accepted, now remediated" in content

@pytest.mark.unit
def test_ignored_vulns_documented():
    """Every --ignore-vuln in noxfile.py must have a row in SUPPLY_CHAIN_VULNERABILITIES.md."""
    # Parse noxfile.py for --ignore-vuln entries
    with open("noxfile.py") as f:
        nox_content = f.read()
    ignored = re.findall(r'--ignore-vuln.*?"([^"]+)"', nox_content)
    
    # Parse SUPPLY_CHAIN_VULNERABILITIES.md active acceptances table
    with open("SUPPLY_CHAIN_VULNERABILITIES.md") as f:
        doc_content = f.read()
    
    for vuln in ignored:
        assert vuln in doc_content, f"{vuln} in noxfile.py but not documented"

Rationale: Prevents drift between code and documentation.

2. Clarify nicegui Comment

Split the dense nicegui comment across multiple lines for readability (see pyproject.toml review above).

3. Schedule Follow-Up for CVE-2026-3219

Create a calendar reminder for 2026-05-24 (revisit date) to check if pip 26.1 is released.

---

✅ Final Verdict

APPROVED - This PR demonstrates exceptional security hygiene:

1. Root cause analysis is sound - addresses fundamental gap in Python security practices
2. Implementation is correct - all lower bounds verified against locked versions
3. Documentation is outstanding - SUPPLY_CHAIN_VULNERABILITIES.md is enterprise-grade
4. Regulatory compliance - creates auditable trail for ISO 13485/Ketryx
5. Zero risk - no behavioral changes, all claims verified
6. Medical device safe - no patient safety implications

Test Plan Completion:

• make audit passes (claimed - will verify in CI)
• make lint passes (claimed - will verify in CI)
• make test_unit passes (claimed - will verify in CI)
• CI green (pending - check before merge)

Merge Conditions:

1. ✅ All CI checks pass (in progress)
2. ✅ No merge conflicts
3. ✅ PR label skip:test:long_running applied (recommended per CLAUDE.md)

---

🏆 Praise

This is world-class security remediation work. The SUPPLY_CHAIN_VULNERABILITIES.md policy document alone is worth its weight in gold - it addresses a systemic gap in how the Python ecosystem thinks about dependency security. The distinction between lockfile security (for developers) and constraint security (for consumers) is often misunderstood, and this PR demonstrates deep understanding of the problem space.

The fix for the pip>=5.3 nonsensical lower bound shows attention to detail. The remediation history creates an auditable compliance trail that will be invaluable during regulatory reviews.

Well done, @helmut-hoffer-von-ankershoffen!

---

[Copilot]

Pull request overview

This PR closes a supply-chain security gap by sweeping Renovate/Dependabot security bumps (previously only reflected in uv.lock) into lower bounds in pyproject.toml, ensuring downstream installers (pip install, uv add, uvx) cannot resolve known-vulnerable versions. It also formalizes the vulnerability acceptance/remediation process in repo documentation and aligns tooling configuration accordingly.

Changes:

• Raise lower bounds in pyproject.toml (incl. transitive overrides + optional extras) to match already-locked safe versions.
• Update pip-audit ignore list in noxfile.py to remove stale entries and track a single accepted advisory with documented rationale.
• Add and link new SUPPLY_CHAIN_VULNERABILITIES.md; bump uv-pre-commit to match [tool.uv] required-version.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pyproject.toml	Lifts dependency lower bounds (runtime, extras, dev) so consumer resolvers avoid known-vulnerable versions; updates [tool.uv] required-version.
uv.lock	Reflects the updated constraints and adds newly constrained packages (pygments, nbconvert) to the lock metadata/groups.
noxfile.py	Prunes/updates pip-audit --ignore-vuln to the single currently accepted CVE and ties ignores to the new policy doc.
.pre-commit-config.yaml	Bumps astral-sh/uv-pre-commit rev to align with the required uv version.
SUPPLY_CHAIN_VULNERABILITIES.md	New policy + acceptance/remediation ledger for Python dependency vulnerabilities.
SECURITY.md	Links to the new supply-chain vulnerability handling document.
docs/partials/README_footer.md	Adds a README footer link pointing readers to the supply-chain vulnerability policy.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

❌ Your project status has failed because the head coverage (63.82%) is below the target coverage (70.00%). You can increase the head coverage or adjust the target coverage.
see 20 files with indirect coverage changes