From 0fc45587cde7b59a5480ffceb266284b31aa2eb0 Mon Sep 17 00:00:00 2001
From: Username <user@mymx.me>
Date: Sun, 18 Jan 2026 09:16:08 +0100
Subject: [PATCH] deps: pin transitive dependencies for security fixes

- urllib3>=2.6.3 (CVE-2025-43859)
- jaraco.context>=6.1.0 (GHSA-58pv-8j8x-9vj2)
- setuptools>=80.0 (vendored jaraco.context)

reduces High vulnerabilities from 6 to 3
---
 pyproject.toml   | 3 +++
 requirements.txt | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/pyproject.toml b/pyproject.toml
index 534682d..8e2ca1d 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -7,6 +7,9 @@ requires-python = ">=3.11"
 dependencies = [
     "flask>=3.0",
     "cryptography>=42.0",
+    # Security fixes (transitive dependency pins)
+    "urllib3>=2.6.3",
+    "jaraco.context>=6.1.0",
 ]
 
 [project.optional-dependencies]
diff --git a/requirements.txt b/requirements.txt
index 0be6149..02306a6 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -9,3 +9,8 @@ prometheus-flask-exporter>=0.23
 
 # PKI support (optional)
 cryptography>=42.0
+
+# Security fixes (transitive dependency pins)
+urllib3>=2.6.3
+jaraco.context>=6.1.0
+setuptools>=80.0