csg-org · isabeleliassen · Feb 17, 2026 · Jan 27, 2026 · Jan 27, 2026 · Jan 28, 2026
diff --git a/.github/workflows/check-compact-connect-ui-app.yml b/.github/workflows/check-compact-connect-ui-app.yml
@@ -24,6 +24,10 @@ jobs:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - uses: actions/checkout@v5
 
+      - name: Upgrade pip
+        # Runner image ships pip 25.3; upgrade to 26.0+ so pip-audit passes (CVE-2026-1703 fixed in 26.0)
+        run: pip install --upgrade 'pip>=26.0'
+
       - name: Install dev dependencies
         run: "pip install -r backend/compact-connect-ui-app/requirements-dev.txt"
 
@@ -82,6 +86,10 @@ jobs:
         with:
           python-version: '3.14'
 
+      - name: Upgrade pip
+        # Runner image ships pip 25.3; upgrade to 26.0+ so pip-audit passes (CVE-2026-1703 fixed in 26.0)
+        run: pip install --upgrade 'pip>=26.0'
+
       # Setup Node
       - name: Setup Node
         uses: actions/setup-node@v6
@@ -103,7 +111,7 @@ jobs:
         run: "pip install -r backend/compact-connect-ui-app/requirements-dev.txt"
 
       - name: Install all Python dependencies
-        run: "cd backend/compact-connect; pip install -U 'pip<25.3'; bin/sync_deps.sh"
+        run: "cd backend/compact-connect-ui-app; bin/sync_deps.sh"
 
-      - name: Test backend
+      - name: Test frontend
         run: "cd backend/compact-connect-ui-app; bin/run_tests.sh -l all -no"
diff --git a/.github/workflows/check-compact-connect.yml b/.github/workflows/check-compact-connect.yml
@@ -24,6 +24,10 @@ jobs:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - uses: actions/checkout@v5
 
+      - name: Upgrade pip
+        # Runner image ships pip 25.3; upgrade to 26.0+ so pip-audit passes (CVE-2026-1703 fixed in 26.0)
+        run: pip install --upgrade 'pip>=26.0'
+
       - name: Install dev dependencies
         run: "pip install -r backend/compact-connect/requirements-dev.txt"
 
@@ -82,6 +86,10 @@ jobs:
         with:
           python-version: '3.14'
 
+      - name: Upgrade pip
+        # Runner image ships pip 25.3; upgrade to 26.0+ so pip-audit passes (CVE-2026-1703 fixed in 26.0)
+        run: pip install --upgrade 'pip>=26.0'
+
       # Setup Node
       - name: Setup Node
         uses: actions/setup-node@v6
@@ -101,11 +109,9 @@ jobs:
 
       - name: Install dev dependencies
         run: "pip install -r backend/compact-connect/requirements-dev.txt"
-      # Note we are currently pinning the pip version to deal with compatibility issues released with pip 25.3
-      # see https://stackoverflow.com/a/79802727 If this issues is addressed in a later version, we can remove the
-      # extra pip install command so we stop pinning the pip version
+
       - name: Install all Python dependencies
-        run: "cd backend/compact-connect; pip install -U 'pip<25.3'; bin/sync_deps.sh"
+        run: "cd backend/compact-connect; bin/sync_deps.sh"
 
       - name: Test backend
         run: "cd backend/compact-connect; bin/run_tests.sh -l all -no"
@@ -122,6 +128,10 @@ jobs:
         with:
           python-version: '3.12'
 
+      - name: Upgrade pip
+        # Runner image ships pip 25.3; upgrade to 26.0+ so pip-audit passes (CVE-2026-1703 fixed in 26.0)
+        run: pip install --upgrade 'pip>=26.0'
+
       - name: Install dependencies
         run: "cd backend/compact-connect/lambdas/python/purchases; pip install -r requirements.txt"
 

diff --git a/.github/workflows/check-cosmetology-app.yml b/.github/workflows/check-cosmetology-app.yml
@@ -24,6 +24,10 @@ jobs:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - uses: actions/checkout@v5
 
+      - name: Upgrade pip
+        # Runner image ships pip 25.3; upgrade to 26.0+ so pip-audit passes (CVE-2026-1703 fixed in 26.0)
+        run: pip install --upgrade 'pip>=26.0'
+
       - name: Install dev dependencies
         run: "pip install -r backend/cosmetology-app/requirements-dev.txt"
 
@@ -81,6 +85,10 @@ jobs:
         with:
           python-version: '3.14'
 
+      - name: Upgrade pip
+        # Runner image ships pip 25.3; upgrade to 26.0+ so pip-audit passes (CVE-2026-1703 fixed in 26.0)
+        run: pip install --upgrade 'pip>=26.0'
+
       # Setup Node
       - name: Setup Node
         uses: actions/setup-node@v6
@@ -100,11 +108,9 @@ jobs:
 
       - name: Install dev dependencies
         run: "pip install -r backend/cosmetology-app/requirements-dev.txt"
-      # Note we are currently pinning the pip version to deal with compatibility issues released with pip 25.3
-      # see https://stackoverflow.com/a/79802727 If this issues is addressed in a later version, we can remove the
-      # extra pip install command so we stop pinning the pip version
+
       - name: Install all Python dependencies
-        run: "cd backend/cosmetology-app; pip install -U 'pip<25.3'; bin/sync_deps.sh"
+        run: "cd backend/cosmetology-app; bin/sync_deps.sh"
 
       - name: Test backend
         run: "cd backend/cosmetology-app; bin/run_tests.sh -l all -no"
diff --git a/.github/workflows/check-multi-account.yml b/.github/workflows/check-multi-account.yml
@@ -24,6 +24,10 @@ jobs:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - uses: actions/checkout@v2
 
+      - name: Upgrade pip
+        # Runner image ships pip 25.3; upgrade to 26.0+ so pip-audit passes (CVE-2026-1703 fixed in 26.0)
+        run: pip install --upgrade 'pip>=26.0'
+
       - name: Install dev dependencies
         run: "pip install -r backend/multi-account/control-tower/requirements-dev.txt"
 
@@ -45,6 +49,10 @@ jobs:
         with:
           python-version: '3.12'
 
+      - name: Upgrade pip
+        # Runner image ships pip 25.3; upgrade to 26.0+ so pip-audit passes (CVE-2026-1703 fixed in 26.0)
+        run: pip install --upgrade 'pip>=26.0'
+
       - name: Install dev dependencies
         run: "pip install -r backend/multi-account/control-tower/requirements-dev.txt"
 

diff --git a/backend/.gitignore b/backend/.gitignore
@@ -13,4 +13,4 @@ cdk.out
 cdk.context.json
 *-cdk.context.json
 # smoke test env
-smoke_tests_env.json
+*smoke_tests_env.json
diff --git a/backend/compact-connect/app_clients/README.md b/backend/compact-connect/app_clients/README.md
@@ -52,7 +52,6 @@ The following scopes are available at the jurisdiction level:
 {jurisdiction}/{compact}.admin
 {jurisdiction}/{compact}.write
 {jurisdiction}/{compact}.readPrivate
-{jurisdiction}/{compact}.readSSN
 ```
 
 Currently, the most common scope needed by app clients is `{jurisdiction}/{compact}.write`, which allows uploading

diff --git a/backend/compact-connect/bin/generate_privilege_test_data.py b/backend/compact-connect/bin/generate_privilege_test_data.py
@@ -470,8 +470,9 @@ def main():
 
         # Check if provider already has a privilege for this specific license type in the target state
         existing_privileges = provider_user_records.get_privilege_records(
-            filter_condition=lambda p, license_type=target_license_type: p.jurisdiction == args.privilege_state
-            and p.licenseType == license_type
+            filter_condition=lambda p, license_type=target_license_type: (
+                p.jurisdiction == args.privilege_state and p.licenseType == license_type
+            )
         )
         if existing_privileges:
             if args.provider_id:

diff --git a/backend/compact-connect/lambdas/nodejs/email-notification-service/lambda.ts b/backend/compact-connect/lambdas/nodejs/email-notification-service/lambda.ts
@@ -8,7 +8,7 @@ import { Context } from 'aws-lambda';
 import { EnvironmentVariablesService } from '../lib/environment-variables-service';
 import { CompactConfigurationClient } from '../lib/compact-configuration-client';
 import { JurisdictionClient } from '../lib/jurisdiction-client';
-import { EmailNotificationService, EncumbranceNotificationService, InvestigationNotificationService } from '../lib/email';
+import { EmailNotificationService, EncumbranceNotificationService, InvestigationNotificationService, type PrivilegeExpirationReminderRow } from '../lib/email';
 import { EmailNotificationEvent, EmailNotificationResponse } from '../lib/models/email-notification-service-event';
 
 const environmentVariables = new EnvironmentVariablesService();
@@ -386,6 +386,41 @@ export class Lambda implements LambdaInterface {
                 event.templateVariables?.auditNote || ''
             );
             break;
+        case 'privilegeExpirationReminder': {
+            if (!event.specificEmails?.length) {
+                throw new Error('No recipients found for privilege expiration reminder email');
+            }
+            if (!event.templateVariables?.providerFirstName
+                || !event.templateVariables?.expirationDate
+                || !event.templateVariables?.privileges) {
+                throw new Error('Missing required template variables for privilegeExpirationReminder template.');
+            }
+            const privileges = event.templateVariables.privileges as Array<{ jurisdiction?: string;
+                licenseType?: string; privilegeId?:
+                string; dateOfExpiration?: string;
+                formattedExpirationDate?: string }>;
+
+            if (!Array.isArray(privileges) || privileges.length === 0) {
+                throw new Error('privilegeExpirationReminder template requires a non-empty privileges array.');
+            }
+            for (let i = 0; i < privileges.length; i++) {
+                const p = privileges[i];
+
+                if (!p?.jurisdiction || !p?.licenseType || !p?.privilegeId || !p?.dateOfExpiration) {
+                    throw new Error(
+                        `privilegeExpirationReminder template requires each privilege to have jurisdiction, licenseType, privilegeId, and dateOfExpiration (ISO 8601). Invalid privilege at index ${i}.`
+                    );
+                }
+            }
+            await this.emailService.sendPrivilegeExpirationReminderEmail(
+                event.compact,
+                event.specificEmails,
+                event.templateVariables.providerFirstName,
+                event.templateVariables.expirationDate,
+                privileges as PrivilegeExpirationReminderRow[]
+            );
+            break;
+        }
         case 'licenseInvestigationStateNotification':
             if (!event.jurisdiction) {
                 throw new Error('No jurisdiction provided for license investigation state notification email');

diff --git a/backend/compact-connect/lambdas/nodejs/jest.config.mjs b/backend/compact-connect/lambdas/nodejs/jest.config.mjs
@@ -5,6 +5,7 @@ export default {
     testMatch: ['**/tests/**/*.test.[jt]s?(x)'],
     moduleFileExtensions: ['ts', 'js'],
     verbose: true,
+    setupFilesAfterEnv: ['<rootDir>/tests/jest.setup.ts'],
     testPathIgnorePatterns: [
         '<rootDir>/node_modules/',
     ],