From e100fe8b503d4db90c2a83524909a7774a1d8180 Mon Sep 17 00:00:00 2001
From: Roman Lutz <romanlutz@users.noreply.github.com>
Date: Sat, 9 May 2026 06:45:10 -0700
Subject: [PATCH] MAINT: Fix 22 additional dependabot security vulnerabilities

Follow-up to #1683. Addresses 22 alerts that were either:
- not covered by #1683 (axios x13, jupyter-server x4, mistune ReDoS x1), or
- newly disclosed after that PR was merged (mistune XSS x3, GitPython newline injection x1).

## Changes

### Direct dependencies
- frontend/package.json: pin `axios` `1.15.0` -> `1.16.0` (GHSA-pf86-5x62-jrwf,
  GHSA-pmwg-cvhr-8vh7, GHSA-6chq-wfr3-2hj9, GHSA-q8qp-cvcw-x6jj, GHSA-xhjh-pmcv-23jw,
  GHSA-445q-vr5w-6q77, GHSA-m7pr-hjqh-92cm, GHSA-62hf-57xw-28j9, GHSA-3w6x-2g7m-8v23,
  GHSA-vf2m-468p-8v99, GHSA-xx6v-rp6x-q39c, GHSA-w9j2-pvgh-6h63, GHSA-5c9x-8gcm-mpgx).
  Pinned to exact version, matching the convention from #1683.

### Transitive dependencies (uv constraint-dependencies)
- `GitPython` `>=3.1.47` -> `>=3.1.50` (GHSA-mv93-w799-cj2w newline injection)
- `jupyter-server` `>=2.18.0` (NEW) (GHSA-5789-5fc7-67v3, GHSA-5mrq-x3x5-8v8f,
  GHSA-24qx-w28j-9m6p, GHSA-qh7q-6qm3-653w)
- `mistune` `>=3.2.1` (NEW) (GHSA-8mp2-v27r-99xp ReDoS, plus GHSA-v87v-83h2-53w7,
  GHSA-58cw-g322-p94v, GHSA-8g87-j6q8-g93x XSS)

Both `uv.lock` and `frontend/package-lock.json` were regenerated by their
respective tools (not manually edited).

## Verification

- `npm audit` reports 0 vulnerabilities
- `tsc --noEmit` clean
- `npm test` 560/560 passing
- All 22 alert ranges cross-checked against resolved versions in both lockfiles -
  none of the vulnerable versions remain.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 frontend/package-lock.json | 10 +++++-----
 frontend/package.json      |  2 +-
 pyproject.toml             |  4 +++-
 uv.lock                    | 22 ++++++++++++----------
 4 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/frontend/package-lock.json b/frontend/package-lock.json
index f4f2aa108c..f7ac697f36 100644
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -12,7 +12,7 @@
         "@azure/msal-react": "^5.0.7",
         "@fluentui/react-components": "9.72.7",
         "@fluentui/react-icons": "2.0.258",
-        "axios": "1.15.0",
+        "axios": "1.16.0",
         "react": "18.3.1",
         "react-dom": "18.3.1",
         "react-error-boundary": "6.1.1"
@@ -4716,12 +4716,12 @@
       "license": "MIT"
     },
     "node_modules/axios": {
-      "version": "1.15.0",
-      "resolved": "https://registry.npmjs.org/axios/-/axios-1.15.0.tgz",
-      "integrity": "sha512-wWyJDlAatxk30ZJer+GeCWS209sA42X+N5jU2jy6oHTp7ufw8uzUTVFBX9+wTfAlhiJXGS0Bq7X6efruWjuK9Q==",
+      "version": "1.16.0",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.16.0.tgz",
+      "integrity": "sha512-6hp5CwvTPlN2A31g5dxnwAX0orzM7pmCRDLnZSX772mv8WDqICwFjowHuPs04Mc8deIld1+ejhtaMn5vp6b+1w==",
       "license": "MIT",
       "dependencies": {
-        "follow-redirects": "^1.15.11",
+        "follow-redirects": "^1.16.0",
         "form-data": "^4.0.5",
         "proxy-from-env": "^2.1.0"
       }
diff --git a/frontend/package.json b/frontend/package.json
index acb4526cc6..76a24e1e89 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -26,7 +26,7 @@
     "@azure/msal-react": "^5.0.7",
     "@fluentui/react-components": "9.72.7",
     "@fluentui/react-icons": "2.0.258",
-    "axios": "1.15.0",
+    "axios": "1.16.0",
     "react": "18.3.1",
     "react-dom": "18.3.1",
     "react-error-boundary": "6.1.1"
diff --git a/pyproject.toml b/pyproject.toml
index b6d20381da..3f36646cc2 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -200,10 +200,12 @@ invalid-argument-type = "warn"
 [tool.uv]
 constraint-dependencies = [
     "aiohttp>=3.13.4",
-    "GitPython>=3.1.47",
+    "GitPython>=3.1.50",
+    "jupyter-server>=2.18.0",
     "jupyterlab>=4.5.7",
     "lxml>=6.1.0",
     "Mako>=1.3.11",
+    "mistune>=3.2.1",
     "nbconvert>=7.17.1",
     "notebook>=7.5.6",
     "orjson>=3.11.6",
diff --git a/uv.lock b/uv.lock
index e79784f821..5b67d9e27d 100644
--- a/uv.lock
+++ b/uv.lock
@@ -20,10 +20,12 @@ resolution-markers = [
 constraints = [
     { name = "aiohttp", specifier = ">=3.13.4" },
     { name = "cryptography", specifier = ">=46.0.7" },
-    { name = "gitpython", specifier = ">=3.1.47" },
+    { name = "gitpython", specifier = ">=3.1.50" },
+    { name = "jupyter-server", specifier = ">=2.18.0" },
     { name = "jupyterlab", specifier = ">=4.5.7" },
     { name = "lxml", specifier = ">=6.1.0" },
     { name = "mako", specifier = ">=1.3.11" },
+    { name = "mistune", specifier = ">=3.2.1" },
     { name = "nbconvert", specifier = ">=7.17.1" },
     { name = "notebook", specifier = ">=7.5.6" },
     { name = "orjson", specifier = ">=3.11.6" },
@@ -1983,14 +1985,14 @@ wheels = [
 
 [[package]]
 name = "gitpython"
-version = "3.1.49"
+version = "3.1.50"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "gitdb" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/e1/63/210aaa302d6a0a78daa67c5c15bbac2cad361722841278b0209b6da20855/gitpython-3.1.49.tar.gz", hash = "sha256:42f9399c9eb33fc581014bedd76049dfbaf6375aa2a5754575966387280315e1", size = 219367, upload-time = "2026-04-29T00:31:20.478Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/33/f6/354ae6491228b5eb40e10d89c4d13c651fe1cf7556e35ebdded50cff57ce/gitpython-3.1.50.tar.gz", hash = "sha256:80da2d12504d52e1f998772dc5baf6e553f8d2fcfe1fcc226c9d9a2ee3372dcc", size = 219798, upload-time = "2026-05-06T04:01:26.571Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/fd/6f/b842bfa6f21d6f87c57f9abf7194225e55279d96d869775e19e9f7236fc5/gitpython-3.1.49-py3-none-any.whl", hash = "sha256:024b0422d7f84d15cd794844e029ffebd4c5d42a7eb9b936b458697ef550a02c", size = 212190, upload-time = "2026-04-29T00:31:18.412Z" },
+    { url = "https://files.pythonhosted.org/packages/20/7a/1c6e3562dfd8950adbb11ffbc65d21e7c89d01a6e4f137fa981056de25c5/gitpython-3.1.50-py3-none-any.whl", hash = "sha256:d352abe2908d07355014abdd21ddf798c2a961469239afec4962e9da884858f9", size = 212507, upload-time = "2026-05-06T04:01:23.799Z" },
 ]
 
 [[package]]
@@ -2820,7 +2822,7 @@ wheels = [
 
 [[package]]
 name = "jupyter-server"
-version = "2.17.0"
+version = "2.18.2"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "anyio" },
@@ -2843,9 +2845,9 @@ dependencies = [
     { name = "traitlets" },
     { name = "websocket-client" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/5b/ac/e040ec363d7b6b1f11304cc9f209dac4517ece5d5e01821366b924a64a50/jupyter_server-2.17.0.tar.gz", hash = "sha256:c38ea898566964c888b4772ae1ed58eca84592e88251d2cfc4d171f81f7e99d5", size = 731949, upload-time = "2025-08-21T14:42:54.042Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/ca/15/1eacb0fcb79ef86e8a0a79a708e6ad7435f6f223097dd29a4ce861fabc44/jupyter_server-2.18.2.tar.gz", hash = "sha256:06b4f40d8a7a00bb39d5216859c81374a0e7cfefe6d8a5a7facc5a5c37c679a7", size = 753177, upload-time = "2026-05-06T07:04:36.274Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/92/80/a24767e6ca280f5a49525d987bf3e4d7552bf67c8be07e8ccf20271f8568/jupyter_server-2.17.0-py3-none-any.whl", hash = "sha256:e8cb9c7db4251f51ed307e329b81b72ccf2056ff82d50524debde1ee1870e13f", size = 388221, upload-time = "2025-08-21T14:42:52.034Z" },
+    { url = "https://files.pythonhosted.org/packages/e2/50/ecf4f70d65bdb7519b28a33d1b2fee8a4b4ba1ae1a92f15d97e877c5de21/jupyter_server-2.18.2-py3-none-any.whl", hash = "sha256:fa5e46539ded65791838035a2b6001f13e54d5f64b8b3752eb1e91fdd641a5b8", size = 391907, upload-time = "2026-05-06T07:04:34.014Z" },
 ]
 
 [[package]]
@@ -3405,14 +3407,14 @@ wheels = [
 
 [[package]]
 name = "mistune"
-version = "3.2.0"
+version = "3.2.1"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "typing-extensions", marker = "python_full_version < '3.11'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/9d/55/d01f0c4b45ade6536c51170b9043db8b2ec6ddf4a35c7ea3f5f559ac935b/mistune-3.2.0.tar.gz", hash = "sha256:708487c8a8cdd99c9d90eb3ed4c3ed961246ff78ac82f03418f5183ab70e398a", size = 95467, upload-time = "2025-12-23T11:36:34.994Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/ca/84/620cc3f7e3adf6f5067e10f4dbae71295d8f9e16d5d3f9ef97c40f2f592c/mistune-3.2.1.tar.gz", hash = "sha256:7c8e5501d38bac1582e067e46c8343f17d57ea1aaa735823f3aba1fd59c88a28", size = 98003, upload-time = "2026-05-03T14:33:22.312Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/9b/f7/4a5e785ec9fbd65146a27b6b70b6cdc161a66f2024e4b04ac06a67f5578b/mistune-3.2.0-py3-none-any.whl", hash = "sha256:febdc629a3c78616b94393c6580551e0e34cc289987ec6c35ed3f4be42d0eee1", size = 53598, upload-time = "2025-12-23T11:36:33.211Z" },
+    { url = "https://files.pythonhosted.org/packages/2a/7f/a946aa4f8752b37102b41e64dca18a1976ac705c3a0d1dfe74d820a02552/mistune-3.2.1-py3-none-any.whl", hash = "sha256:78cdb0ba5e938053ccf63651b352508d2efa9411dc8810bfb05f2dc5140c0048", size = 53749, upload-time = "2026-05-03T14:33:20.551Z" },
 ]
 
 [[package]]