chore(deps): Apply Dependabot version bumps in bulk (#78)

m1so · web-flow · commit 687317200cc7 · 2026-03-17T17:36:42.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -472,10 +472,20 @@ jobs:
           # * false positive: only affects Arrow R package, not PyArrow
           # * see CVE description: "This vulnerability only affects the arrow R package, not other Apache Arrow implementations"
           # * databricks-sqlalchemy 1.x caps pyarrow<17, but upgrading requires SQLAlchemy 2.x (which is not possible for some Python versions)
+          # CVE-2026-32274 (black cache path injection via --python-cell-magics)
+          # * dev-only dependency, not used with untrusted input
+          # * fix requires black 26.x which changes formatting style; deferring upgrade
+          # CVE-2026-27448, CVE-2026-27459 (pyopenssl callback vulnerabilities)
+          # * transitive dep of snowflake-connector-python, not used directly
+          # * blocked: snowflake-connector-python pins pyOpenSSL<26.0.0 (even in latest 4.3.0 as of 2026-03-17)
+          # * upstream fix: https://github.com/snowflakedb/snowflake-connector-python/pull/2793
           ignore-vulns: &ignore-vulns |
             PYSEC-2023-121
             CVE-2026-0994
             PYSEC-2024-161
+            CVE-2026-32274
+            CVE-2026-27448
+            CVE-2026-27459
 
   audit-all:
     name: Audit - All
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -136,8 +136,9 @@ dependencies = [
     "cryptography>=46.0.5,<47",
     "protobuf>=4.25.8,<6",
     "requests>=2.32.4,<3",
-    "tornado>=6.5,<7",
+    "tornado>=6.5.5,<7",
     "filelock>=3.20.3,<4",
+    "pyjwt>=2.12.0,<3",
     "pynacl>=1.6.2,<2",  # https://github.com/deepnote/deepnote-toolkit/security/dependabot/8
 
     # Config dependencies - they need to be declared both in main and server extras, keep them in sync
