From c3e6f683f1e4ea8788acf2f0475b1ac070e5518a Mon Sep 17 00:00:00 2001
From: aitbc <aitbc@keisanki.net>
Date: Wed, 20 May 2026 08:02:07 +0200
Subject: [PATCH] security: fix Dependabot vulnerabilities

- Update idna from 3.13 to 3.15 (fixes CVE-2026-45409)
- Update ujson from 5.12.0 to 5.12.1 (fixes CVE-2026-44660)
- Update urllib3 from 2.6.3 to 2.7.0 (fixes CVE-2026-44431, CVE-2026-44432)
- Remove vllm (transitive dependency causing diskcache vulnerability)
- Remove diskcache (CVE-2025-69872 - no longer required)
- Update requirements.txt with secure dependency versions

All vulnerabilities now resolved: pip-audit shows no known vulnerabilities found
---
 requirements.txt | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/requirements.txt b/requirements.txt
index 6003f3db..df4b1f1a 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -44,6 +44,7 @@ httpx>=0.28.1
 requests>=2.32.4
 aiohttp>=3.12.14
 aiostun>=0.1.0
+urllib3>=2.7.0
 
 # Cryptocurrency & Blockchain
 cryptography>=46.0.0
@@ -89,6 +90,7 @@ keyring>=25.7.0
 orjson>=3.11.0
 msgpack>=1.1.2
 python-multipart>=0.0.27
+ujson>=5.12.1
 
 # Logging & Monitoring
 structlog>=25.1.0
@@ -113,3 +115,4 @@ opencv-python>=4.11.0
 redis>=5.2.1
 psutil>=6.1.0
 tenseal>=0.3.0
+idna>=3.15