VectorInstitute · amrit110 · Apr 21, 2026 · Apr 20, 2026 · Apr 21, 2026
diff --git a/.github/workflows/code_checks.yml b/.github/workflows/code_checks.yml
@@ -32,7 +32,7 @@ jobs:
       - uses: actions/checkout@v6.0.2
 
       - name: Install uv
-        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b
         with:
           # Install a specific version of uv.
           version: "0.9.22"

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -22,7 +22,7 @@ jobs:
       - uses: actions/checkout@v6.0.2
 
       - name: Install uv
-        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b
         with:
           # Install a specific version of uv.
           version: "0.9.22"

diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
@@ -40,7 +40,7 @@ jobs:
       - uses: actions/checkout@v6.0.2
 
       - name: Install uv
-        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b
         with:
           # Install a specific version of uv.
           version: "0.9.22"

diff --git a/aieng-eval-agents/pyproject.toml b/aieng-eval-agents/pyproject.toml
@@ -7,7 +7,7 @@ requires-python = ">=3.12,<4.0"
 readme = "README.md"
 license = "MIT"
 dependencies = [
-    "google-adk>=1.23.0",
+    "google-adk>=1.28.1", # CVE-2026-4810: code injection / missing auth fixed in 1.28.1
     "google-genai>=1.52.0",
     "gradio>=6.7.0", # CVE-2026-28414/27167/28416/28415 fixed in 6.6.0–6.7.0
     "kagglehub>=0.4.1",
@@ -24,7 +24,7 @@ dependencies = [
     "sqlalchemy>=2.0.46",
     "sqlglot>=28.6.0",
     "weaviate-client>=4.18.3",
-    "pypdf>=6.7.5", # CVE-2026-28804: ASCIIHexDecode DoS fixed in 6.7.5
+    "pypdf>=6.10.2", # CVE-2026-28804: ASCIIHexDecode DoS fixed in 6.7.5; GHSA-4pxv-j86v-mhcw/GHSA-7gw9-cf7v-778f/GHSA-x284-j5p8-9c5p: DoS fixed in 6.10.2
     "httpx>=0.27.0",
     "tenacity>=8.2.0",
     "python-dotenv>=1.0.0",

diff --git a/pyproject.toml b/pyproject.toml
@@ -23,15 +23,16 @@ dependencies = [
     "scikit-learn>=1.7.0",
     "urllib3>=2.6.3",
     "openpyxl>=3.1.5",
-    "authlib>=1.6.7", # CVE-2026-28802: alg:none JWT bypass fixed in 1.6.7
+    "authlib>=1.6.11", # CVE-2026-28802: alg:none JWT bypass fixed in 1.6.7; GHSA-jj8c-mmj3-mmgv: CSRF protection bypass fixed in 1.6.11
     "cryptography>=46.0.7", # CVE-2026-34073: DNS name constraint bypass fixed in 46.0.6; CVE-2026-39892: buffer overflow fixed in 46.0.7
     "filelock>=3.20.3",
     "pyasn1>=0.6.3", # CVE-2026-30922: DoS via uncontrolled recursion fixed in 0.6.3
     "virtualenv>=20.36.1",
     "tenacity>=9.1.2",
     "certifi>=2026.1.4",
     "pillow>=12.2.0", # CVE-2026-40192: FITS decompression bomb fixed in 12.2.0
-    "pypdf>=6.10.0", # CVE-2026-28804: ASCIIHexDecode DoS fixed in 6.7.5; CVE-2026-33123: array-based stream DoS fixed in 6.9.1; CVE-2026-40260: XMP metadata memory DoS fixed in 6.10.0
+    "pypdf>=6.10.2", # CVE-2026-28804: ASCIIHexDecode DoS fixed in 6.7.5; CVE-2026-33123: array-based stream DoS fixed in 6.9.1; CVE-2026-40260: XMP metadata memory DoS fixed in 6.10.0; GHSA-4pxv-j86v-mhcw/GHSA-7gw9-cf7v-778f/GHSA-x284-j5p8-9c5p: DoS fixed in 6.10.2
+    "python-multipart>=0.0.26", # CVE-2026-40347: multipart parsing DoS fixed in 0.0.26
 ]
 
 [dependency-groups]
@@ -75,6 +76,10 @@ web-search = [
 # Default dependency groups to be installed
 [tool.uv]
 default-groups = ["dev", "docs"]
+# Override pinned transitive deps to patched versions (security)
+override-dependencies = [
+    "authlib>=1.6.11", # GHSA-jj8c-mmj3-mmgv: CSRF protection bypass; aieng-platform-onboard pins 1.6.9
+]
 
 [tool.uv.workspace]
 members = [