unstructured

051b3583 - fix(deps): upgrade vulnerable transitive dependencies [security] (#4318)

fix(deps): upgrade vulnerable transitive dependencies [security] (#4318) ## Summary Automated scan found CVEs in transitive dependencies locked in `uv.lock` files. These packages were upgraded to patched versions. ### Remediated vulnerabilities | Package | From | To | Severity | CVE | |---|---|---|---|---| | aiohttp | 3.13.3 | 3.13.4 | Low | CVE-2026-34514 | | aiohttp | 3.13.3 | 3.13.4 | Low | CVE-2026-34517 | | aiohttp | 3.13.3 | 3.13.4 | Low | CVE-2026-34520 | | aiohttp | 3.13.3 | 3.13.4 | Low | CVE-2026-34518 | | aiohttp | 3.13.3 | 3.13.4 | Medium | CVE-2026-34525 | | aiohttp | 3.13.3 | 3.13.4 | Low | CVE-2026-34513 | | aiohttp | 3.13.3 | 3.13.4 | Medium | CVE-2026-34516 | | aiohttp | 3.13.3 | 3.13.4 | Low | CVE-2026-34519 | | aiohttp | 3.13.3 | 3.13.4 | Medium | CVE-2026-34515 | | aiohttp | 3.13.3 | 3.13.4 | Medium | CVE-2026-22815 | | authlib | 1.6.8 | 1.6.9 | High | CVE-2026-28490 | | authlib | 1.6.8 | 1.6.9 | High | CVE-2026-28498 | | authlib | 1.6.8 | 1.6.9 | Critical | CVE-2026-27962 | | cryptography | 46.0.5 | 46.0.6 | Low | CVE-2026-34073 | | onnx | 1.20.1 | 1.21.0 | High | CVE-2026-34445 | | onnx | 1.20.1 | 1.21.0 | Medium | CVE-2026-34446 | | onnx | 1.20.1 | 1.21.0 | Medium | CVE-2026-34447 | | onnx | 1.20.1 | 1.21.0 | High | GHSA-q56x-g2fj-4rj6 | | pyasn1 | 0.6.2 | 0.6.3 | High | CVE-2026-30922 | | pygments | 2.19.2 | 2.20.0 | Low | CVE-2026-4539 | | pyjwt | 2.11.0 | 2.12.0 | High | CVE-2026-32597 | ### Skipped (major version bump required) | Package | From | To | Severity | CVE | Reason | |---|---|---|---|---|---| | langchain-core | 0.3.83 | 1.2.11 | Low | CVE-2026-26013 | major bump | | langchain-core | 0.3.83 | 1.2.22 | High | CVE-2026-34070 | major bump | > These require a major version upgrade and should be planned manually. ### What this PR does 1. Scans all `uv.lock` files with [grype](https://github.com/anchore/grype) for known CVEs 2. Runs `uv lock --upgrade-package <pkg>` for each fixable vulnerability (skips major bumps) 3. Bumps component versions (patch) and updates CHANGELOGs via `version-bump` > Created by [lockfile-security-scan](https://github.com/Unstructured-IO/infra/actions/workflows/lockfile-security-scan.yml). > Targets **transitive dependencies** that Renovate cannot reach. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Primarily lockfile-only dependency bumps to address CVEs; runtime behavior may change subtly due to upgraded networking/auth/crypto/ML libraries, but no application logic changes are included. > > **Overview** > Bumps release to `0.22.15` and documents the change as a *security* release. > > Upgrades vulnerable transitive dependencies in `uv.lock` (notably `aiohttp`, `authlib`, `cryptography`, `onnx`, `pyasn1`, `pygments`, `pyjwt`) and updates lock resolution markers (including `s390x` splits), with no source-code behavior changes beyond updated dependency versions. > > ^{Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit dbac0b27ef61d0481c93b15b46e8dc07def01841. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).} <!-- /CURSOR_SUMMARY --> Co-authored-by: utic-renovate[bot] <utic-renovate[bot]@users.noreply.github.com>