[pre-commit.ci] pre-commit autoupdate

.pre-commit-config.yaml

@@ -20,12 +20,12 @@ repos:
     - id: check-toml
 
   - repo: https://github.com/astral-sh/uv-pre-commit
-    rev: 0.11.6
+    rev: 0.11.7
     hooks:
       - id: uv-lock
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.15.10
+    rev: v0.15.11
     hooks:
     - id: ruff-check
       args: [--fix, --exit-non-zero-on-fix]

aieng-eval-agents/pyproject.toml

@@ -7,11 +7,11 @@ requires-python = ">=3.12,<4.0"
 readme = "README.md"
 license = "MIT"
 dependencies = [
-    "google-adk>=1.28.1", # CVE-2026-4810: code injection / missing auth fixed in 1.28.1
+    "google-adk>=1.28.1", # CVE-2026-4810: code injection and missing authentication fixed in 1.28.1
     "google-genai>=1.52.0",
     "gradio>=6.7.0", # CVE-2026-28414/27167/28416/28415 fixed in 6.6.0–6.7.0
     "kagglehub>=0.4.1",
-    "langfuse>=3.10.3",
+    "langfuse>=3.10.3,<4.0.0",
     "openai>=2.8.1",
     "openai-agents>=0.6.1",
     "openinference-instrumentation-google-adk>=0.1.0",
@@ -24,11 +24,11 @@ dependencies = [
     "sqlalchemy>=2.0.46",
     "sqlglot>=28.6.0",
     "weaviate-client>=4.18.3",
-    "pypdf>=6.10.2", # CVE-2026-28804: ASCIIHexDecode DoS fixed in 6.7.5; GHSA-4pxv-j86v-mhcw/GHSA-7gw9-cf7v-778f/GHSA-x284-j5p8-9c5p: DoS fixed in 6.10.2
+    "pypdf>=6.10.2", # CVE-2026-28804: ASCIIHexDecode DoS fixed in 6.7.5; GHSA-jj6c-8h6c-hppx/GHSA-4pxv-j86v-mhcw/GHSA-7gw9-cf7v-778f/GHSA-x284-j5p8-9c5p: DoS via crafted PDFs fixed in 6.10.2
     "httpx>=0.27.0",
     "tenacity>=8.2.0",
     "python-dotenv>=1.0.0",
-    "html-to-markdown>=2.24.0",
+    "html-to-markdown>=2.24.0,<3.0.0",
 ]
 
 [project.scripts]

pyproject.toml

@@ -12,7 +12,7 @@ dependencies = [
     "beautifulsoup4>=4.13.4",
     "datasets>=3.6.0",
     "e2b-code-interpreter>=2.4.1",
-    "langfuse>=3.10.3",
+    "langfuse>=3.10.3,<4.0.0",
     "lxml>=6.0.0",
     "nest-asyncio>=1.6.0",
     "numpy<2.3.0",
@@ -31,7 +31,7 @@ dependencies = [
     "tenacity>=9.1.2",
     "certifi>=2026.1.4",
     "pillow>=12.2.0", # CVE-2026-40192: FITS decompression bomb fixed in 12.2.0
-    "pypdf>=6.10.2", # CVE-2026-28804: ASCIIHexDecode DoS fixed in 6.7.5; CVE-2026-33123: array-based stream DoS fixed in 6.9.1; CVE-2026-40260: XMP metadata memory DoS fixed in 6.10.0; GHSA-4pxv-j86v-mhcw/GHSA-7gw9-cf7v-778f/GHSA-x284-j5p8-9c5p: DoS fixed in 6.10.2
+    "pypdf>=6.10.2", # CVE-2026-28804: ASCIIHexDecode DoS fixed in 6.7.5; CVE-2026-33123: array-based stream DoS fixed in 6.9.1; CVE-2026-40260: XMP metadata memory DoS fixed in 6.10.0; GHSA-jj6c-8h6c-hppx/GHSA-4pxv-j86v-mhcw/GHSA-7gw9-cf7v-778f/GHSA-x284-j5p8-9c5p: DoS via crafted PDFs fixed in 6.10.2
     "python-multipart>=0.0.26", # CVE-2026-40347: multipart parsing DoS fixed in 0.0.26
 ]
 
@@ -70,6 +70,7 @@ web-search = [
     "google-cloud-firestore>=2.21.0",
     "fastapi[standard]>=0.116.1",
     "google-genai>=1.46.0",
+    "python-multipart>=0.0.26", # CVE-2026-40347: DoS via crafted multipart preamble/epilogue fixed in 0.0.26
     "simplejson>=3.20.2",
 ]