fix: address nspect vulnerability report for requests and cryptography (#475)

johnnygreco · web-flow · commit 0a2d3727352b · 2026-03-30T10:50:19.000-04:00
* fix: address nspect vulnerability report for requests and cryptography Bump requests lower bound to >=2.33 to exclude vulnerable 2.32.x and update lockfile to pull cryptography 46.0.6 and requests 2.33.0. * fix: bump pygments lower bound to >=2.20 to address CVE-2026-4539 ReDoS vulnerability in the Archetype lexer fixed in Pygments 2.20.0.
diff --git a/packages/data-designer-config/pyproject.toml b/packages/data-designer-config/pyproject.toml
@@ -25,10 +25,10 @@ dependencies = [
     "pillow>=12.1.1,<13",
     "pyarrow>=19.0.1,<20", # Required for parquet I/O operations
     "pydantic[email]>=2.9.2,<3",
-    "pygments>=2.19.2,<3",
+    "pygments>=2.20,<3",
     "python-json-logger>=3,<4",
     "pyyaml>=6.0.1,<7",
-    "requests>=2.32,<3",
+    "requests>=2.33,<3",
     "rich>=13.7.1,<15",
 ]
 
diff --git a/packages/data-designer-engine/pyproject.toml b/packages/data-designer-engine/pyproject.toml
@@ -33,7 +33,7 @@ bump = true
 [tool.hatch.metadata.hooks.uv-dynamic-versioning]
 dependencies = [
     "anyascii>=0.3.3,<1",
-    "chardet>=3.0.2,<6",  # Pulled in by sqlfluff; pin <6 to avoid RequestsDependencyWarning from requests<2.33
+    "chardet>=3.0.2,<6",  # Pulled in by sqlfluff
     "data-designer-config=={{ version }}",
     "duckdb>=1.5.0,<2",
     "faker>=20.1.0,<21",
diff --git a/uv.lock b/uv.lock
