From c2f2ff90027d51e78f9b73f6eed37c41fa352acc Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 5 Jun 2026 03:34:15 +0000
Subject: [PATCH 1/2] chore(deps): update pydantic-ai-slim[logfire] requirement

Updates the requirements on [pydantic-ai-slim[logfire]](https://github.com/pydantic/pydantic-ai) to permit the latest version.
- [Release notes](https://github.com/pydantic/pydantic-ai/releases)
- [Changelog](https://github.com/pydantic/pydantic-ai/blob/main/docs/changelog.md)
- [Commits](https://github.com/pydantic/pydantic-ai/compare/v1.90.0...v1.106.0)

---
updated-dependencies:
- dependency-name: pydantic-ai-slim[logfire]
  dependency-version: 1.106.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 aieng-agents/pyproject.toml |  2 +-
 uv.lock                     | 14 +++++++-------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/aieng-agents/pyproject.toml b/aieng-agents/pyproject.toml
index 4bf469b..601057b 100644
--- a/aieng-agents/pyproject.toml
+++ b/aieng-agents/pyproject.toml
@@ -46,7 +46,7 @@ gradio = [
 ]
 observability = [
     "langfuse>=4.3.1",
-    "pydantic-ai-slim[logfire]>=1.90.0",
+    "pydantic-ai-slim[logfire]>=1.106.0",
 ]
 all = [
     "aieng-agents[data,weaviate,code-interpreter,gemini-proxy,news,gradio,observability]",
diff --git a/uv.lock b/uv.lock
index 021be24..73529ee 100644
--- a/uv.lock
+++ b/uv.lock
@@ -190,7 +190,7 @@ requires-dist = [
     { name = "openai-agents", specifier = ">=0.4.0" },
     { name = "pandas", marker = "extra == 'data'", specifier = ">=3.0.2" },
     { name = "pydantic", specifier = ">=2.11.7" },
-    { name = "pydantic-ai-slim", extras = ["logfire"], marker = "extra == 'observability'", specifier = ">=1.90.0" },
+    { name = "pydantic-ai-slim", extras = ["logfire"], marker = "extra == 'observability'", specifier = ">=1.106.0" },
     { name = "pydantic-settings", specifier = ">=2.13.1" },
     { name = "pymupdf", marker = "extra == 'data'", specifier = ">=1.27.2.2" },
     { name = "python-dotenv", marker = "extra == 'data'", specifier = ">=1.2.2" },
@@ -3633,7 +3633,7 @@ wheels = [
 
 [[package]]
 name = "pydantic-ai-slim"
-version = "1.105.0"
+version = "1.106.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "genai-prices" },
@@ -3644,9 +3644,9 @@ dependencies = [
     { name = "pydantic-graph" },
     { name = "typing-inspection" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/cd/ae/1b0370f9b9f1ca7ccf2e6b51ec5a8d11da11d9dd621e5eb015c6420c5e9b/pydantic_ai_slim-1.105.0.tar.gz", hash = "sha256:8b4ad8034b40ab3bde8e0c6285082a204ecd203007150a47943f192b474e06e9", size = 772048, upload-time = "2026-06-02T06:20:01.522Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/2b/45/2afc9100a7c370d8ac37bdfccfb54f46fc99da3bdce63f07c32c37807ebc/pydantic_ai_slim-1.106.0.tar.gz", hash = "sha256:e265598c8ee0e903ebb02d0494bb232be4cc8aa463ba1a55aa743cf34135dacf", size = 773504, upload-time = "2026-06-05T01:29:09.129Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/12/6e/8afdff693d21c0743ee71d792ce90afc27d4ddbaf7270d969a84452cfd0d/pydantic_ai_slim-1.105.0-py3-none-any.whl", hash = "sha256:1e65561ba9a58a9d8fc3a63b550c3c2b2c4017da275dea78291e526aa06298d8", size = 956108, upload-time = "2026-06-02T06:19:52.821Z" },
+    { url = "https://files.pythonhosted.org/packages/72/d9/a2785c576e3519a72a5bbc0e12027c542b265ef6eea1aa72b9c440ac2531/pydantic_ai_slim-1.106.0-py3-none-any.whl", hash = "sha256:0dd7a99ea3fa89b490098406c2240ba7d75c327eea094c3fd057dd7aa9f3d163", size = 957617, upload-time = "2026-06-05T01:28:59.979Z" },
 ]
 
 [package.optional-dependencies]
@@ -3731,7 +3731,7 @@ wheels = [
 
 [[package]]
 name = "pydantic-graph"
-version = "1.105.0"
+version = "1.106.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "httpx" },
@@ -3739,9 +3739,9 @@ dependencies = [
     { name = "pydantic" },
     { name = "typing-inspection" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/33/98/0361e1eb28f8d107e4e12dcd2d14eabef55f4a8ca18b1a6f185df74934c0/pydantic_graph-1.105.0.tar.gz", hash = "sha256:3f5cf97d544b900098d3cc2dbd6a8cdd79ea59dac610d7651f86c9228d33c0b9", size = 62570, upload-time = "2026-06-02T06:20:05.158Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/42/9b/dd6826cf21eedd96a7482302be51ba6087095acbe828362135de2a505092/pydantic_graph-1.106.0.tar.gz", hash = "sha256:55afa33df4f699ed5c1185f81b6a06e2161958f1aa0c20742b2dae5745e84cce", size = 62567, upload-time = "2026-06-05T01:29:11.833Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/be/1b/13882fd4d70299dc2995bee20f21599cb8d453b27f44e239f82384d4ea3f/pydantic_graph-1.105.0-py3-none-any.whl", hash = "sha256:ba76d77ad21a13f2961fbda9d988f3d5a3d9ffc1817ee912e0ea59b0b5a9e825", size = 80099, upload-time = "2026-06-02T06:19:57.098Z" },
+    { url = "https://files.pythonhosted.org/packages/9b/e9/0058f0b98f5992e715a0a50128f6c3cc7946cc242d471f6e850efdf03f0c/pydantic_graph-1.106.0-py3-none-any.whl", hash = "sha256:e6bb61aef0fdb49185a81142d311f94fc3315329345471d12cab85ab5845221f", size = 80099, upload-time = "2026-06-05T01:29:04.219Z" },
 ]
 
 [[package]]

From eef01105699e0fdde1b68464aca90d63d056df5c Mon Sep 17 00:00:00 2001
From: "aieng-bot[bot]" <aieng-bot@vectorinstitute.ai>
Date: Sat, 6 Jun 2026 01:07:37 +0000
Subject: [PATCH 2/2] chore: bump pip to 26.1.2 to fix PYSEC-2026-196

Add pip>=26.1.2 override to resolve PYSEC-2026-196 (console_scripts
path traversal vulnerability in pip 26.1.1).

Co-authored-by: aieng-bot <aieng-bot@vectorinstitute.ai>
---
 pyproject.toml | 1 +
 uv.lock        | 9 +++++----
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index f0c3ebf..23c1a52 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -54,6 +54,7 @@ override-dependencies = [
     "fastapi!=0.136.3", # MAL-2026-4750: malicious undocumented dependency added in 0.136.3
     "python-multipart>=0.0.27", # Fix CVE-2026-42561 (DoS in multipart header parsing)
     "starlette>=1.0.1", # Fix PYSEC-2026-161 (Host header path injection / auth bypass)
+    "pip>=26.1.2", # Fix PYSEC-2026-196 (console_scripts path traversal)
     "urllib3>=2.7.0", # Fix CVE-2026-44431, CVE-2026-44432
 ]
 
diff --git a/uv.lock b/uv.lock
index 73529ee..344fabb 100644
--- a/uv.lock
+++ b/uv.lock
@@ -25,6 +25,7 @@ overrides = [
     { name = "aiohttp", specifier = ">=3.14.0" },
     { name = "authlib", specifier = ">=1.6.11" },
     { name = "fastapi", specifier = "!=0.136.3" },
+    { name = "pip", specifier = ">=26.1.2" },
     { name = "python-multipart", specifier = ">=0.0.27" },
     { name = "starlette", specifier = ">=1.0.1" },
     { name = "urllib3", specifier = ">=2.7.0" },
@@ -195,7 +196,7 @@ requires-dist = [
     { name = "pymupdf", marker = "extra == 'data'", specifier = ">=1.27.2.2" },
     { name = "python-dotenv", marker = "extra == 'data'", specifier = ">=1.2.2" },
     { name = "rich", specifier = ">=15.0.0" },
-    { name = "transformers", marker = "extra == 'data'", specifier = ">=5.10.2" },
+    { name = "transformers", marker = "extra == 'data'", specifier = ">=5.5.4" },
     { name = "weaviate-client", marker = "extra == 'weaviate'", specifier = ">=4.20.5" },
 ]
 provides-extras = ["data", "weaviate", "code-interpreter", "gemini-proxy", "news", "gradio", "observability", "all"]
@@ -3243,11 +3244,11 @@ wheels = [
 
 [[package]]
 name = "pip"
-version = "26.1.1"
+version = "26.1.2"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/b6/48/cb9b7a682f6fe01a4221e1728941dd4ac3cd9090a17db3779d6ff490b602/pip-26.1.1.tar.gz", hash = "sha256:d36762751d156a4ee895de8af39aa0abeeeb577f93a2eca6ab62467bbf0f8a78", size = 1840400, upload-time = "2026-05-04T19:02:21.248Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/01/91/47e7d486260f618783899587af63ccf7980fb60245c3e63dd4571c6b57ad/pip-26.1.2.tar.gz", hash = "sha256:f49cd134c61cf2fd75e0ce2676db03e4054504a5a4986d00f8299ae632dc4605", size = 1840799, upload-time = "2026-05-31T17:33:58.56Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/3a/eb/fea4d1d51c49832120f7f285d07306db3960f423a2612c6057caf3e8196f/pip-26.1.1-py3-none-any.whl", hash = "sha256:99cb1c2899893b075ff56e4ed0af55669a955b49ad7fb8d8603ecdaf4ed653fb", size = 1812777, upload-time = "2026-05-04T19:02:18.9Z" },
+    { url = "https://files.pythonhosted.org/packages/5d/95/6b5cb3461ea5673ba0995989746db58eb18b91b54dbf331e72f569540946/pip-26.1.2-py3-none-any.whl", hash = "sha256:382ff9f685ee3bc25864f820aa50505825f10f5458ffff07e30a6d96e5715cab", size = 1813144, upload-time = "2026-05-31T17:33:56.772Z" },
 ]
 
 [[package]]