Fix 23 Dependabot vulnerabilities — bump all pinned dependencies

SL-Mar · claude · SL-Mar · commit 205b52eca5ff · 2026-02-09T16:11:25.000+01:00
- requirements-lock.txt: update all pinned versions to current installed
  - aiohttp 3.9.3 → 3.13.3 (fixes 10 CVEs incl. high severity)
  - urllib3 2.2.0 → 2.6.3 (fixes 5 CVEs incl. high severity)
  - pdfminer.six 20231228 → 20251230 (fixes 2 high CVEs)
  - requests 2.31.0 → 2.32.5 (fixes 2 medium CVEs)
  - certifi 2024.2.2 → 2026.1.4 (fixes 1 low CVE)
  - Also bumps click, rich, prompt-toolkit, pdfplumber, spacy, etc.
- requirements.txt: raise minimum pins for requests (≥2.32.4), aiohttp (≥3.13.3), pdfplumber (≥0.11.0)
- pyproject.toml: matching minimum pin bumps
- pip-audit confirms 0 known vulnerabilities

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/pyproject.toml b/pyproject.toml
@@ -27,10 +27,10 @@ classifiers = [
 
 dependencies = [
     "click>=8.1.0",
-    "requests>=2.31.0",
-    "pdfplumber>=0.10.0",
+    "requests>=2.32.4",
+    "pdfplumber>=0.11.0",
     "spacy>=3.7.0",
-    "aiohttp>=3.9.0",
+    "aiohttp>=3.13.3",
     "python-dotenv>=1.0.0",
     "pygments>=2.17.0",
     "rich>=13.7.0",
diff --git a/requirements-lock.txt b/requirements-lock.txt
@@ -11,38 +11,38 @@
 #   (then manually clean up to keep only direct dependencies)
 
 # Core CLI
-click==8.1.7
-rich==13.7.1
-prompt-toolkit==3.0.43
+click==8.3.1
+rich==14.3.2
+prompt-toolkit==3.0.52
 InquirerPy==0.3.4
-pygments==2.17.2
+pygments==2.19.2
 
 # HTTP & Networking
-requests==2.31.0
-aiohttp==3.9.3
-urllib3==2.2.0
-certifi==2024.2.2
+requests==2.32.5
+aiohttp==3.13.3
+urllib3==2.6.3
+certifi==2026.1.4
 
 # PDF Processing
-pdfplumber==0.10.4
-pdfminer.six==20231228
+pdfplumber==0.11.9
+pdfminer.six==20251230
 
 # NLP
-spacy==3.7.4
+spacy==3.8.11
 
 # Configuration
-python-dotenv==1.0.1
+python-dotenv==1.2.1
 toml==0.10.2
 
 # Scheduling
-apscheduler==3.10.4
+apscheduler==3.11.2
 
 # Development dependencies (install with: pip install -e ".[dev]")
-# pytest==7.4.4
-# pytest-cov==4.1.0
-# pytest-mock==3.12.0
-# black==24.1.1
-# ruff==0.2.0
-# mypy==1.8.0
-# pre-commit==3.6.0
-# pip-audit==2.7.0
+# pytest==8.x
+# pytest-cov==5.x
+# pytest-mock==3.x
+# black==24.x
+# ruff==0.x
+# mypy==1.x
+# pre-commit==3.x
+# pip-audit==2.x
diff --git a/requirements.txt b/requirements.txt
@@ -1,10 +1,10 @@
-# QuantCoder CLI v2.0.0 Requirements
+# QuantCoder CLI v2.1.0 Requirements
 # Ollama-only local LLM inference
 
 # Core Dependencies
 click>=8.1.0
-requests>=2.31.0
-pdfplumber>=0.10.0
+requests>=2.32.4
+pdfplumber>=0.11.0
 spacy>=3.7.0
 python-dotenv>=1.0.0
 pygments>=2.17.0
@@ -15,4 +15,4 @@ InquirerPy>=0.3.4
 apscheduler>=3.10.0
 
 # Async (Ollama transport)
-aiohttp>=3.9.0
+aiohttp>=3.13.3
