chore(deps): Update by williaby · Pull Request #52 · ByronWilliamsCPA/python-libs

williaby · 2026-06-15T05:13:46Z

Summary

Why

Scheduled patch update, bug fixes and security patches with no API changes.

Changes

This PR contains the following updates:

Change	Update
All locks refreshed	lockFileMaintenance

Impact

✅ Patch update: bug fixes and security patches only
✅ No breaking changes

Acceptance Criteria

All CI checks pass

Testing

CI gates pass (tests, lint, type checking, security scan)

Notes

🔧 This Pull Request updates lock files to use the latest dependency versions.

Configuration

📅 Schedule: (in timezone America/New_York)

Branch creation
- "before 5am on monday"
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Copilot

Copilot wasn't able to review any files in this pull request.

coderabbitai · 2026-06-15T05:13:54Z

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

uv.lock is excluded by !**/*.lock, !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1280c399-e9eb-4445-b2a4-7ee30d4967cb

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch renovate/lock-file-maintenance

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

github-actions · 2026-06-15T05:14:16Z

Dependency Review

The following issues were found:

✅ 0 vulnerable package(s)
❌ 1 package(s) with incompatible licenses
✅ 0 package(s) with invalid SPDX license definitions
⚠️ 79 package(s) with unknown licenses.
⚠️ 1 packages with OpenSSF Scorecard issues.

See the Details below.

License Issues

uv.lock

Package	Version	License	Issue Type
regex	2026.5.9	CNRI-Python AND Apache-2.0	Incompatible License
backrefs	7.0	Null	Unknown License
basedpyright	1.39.8	Null	Unknown License
beautifulsoup4	4.15.0	Null	Unknown License
cloudflare	5.3.0	Null	Unknown License
cryptography	49.0.0	Null	Unknown License
cyclonedx-python-lib	11.10.0	Null	Unknown License
debugpy	1.8.21	Null	Unknown License
distlib	0.4.3	Null	Unknown License
fastapi	0.137.0	Null	Unknown License
filelock	3.29.4	Null	Unknown License
google-api-core	2.31.0	Null	Unknown License
google-auth	2.54.0	Null	Unknown License
google-cloud-storage	3.12.0	Null	Unknown License
google-genai	2.8.0	Null	Unknown License
googleapis-common-protos	1.75.0	Null	Unknown License
griffe-pydantic	1.3.1	Null	Unknown License
griffelib	2.0.2	Null	Unknown License
hypothesis	6.155.2	Null	Unknown License
idna	3.18	Null	Unknown License
ipykernel	7.3.0	Null	Unknown License
ipython	8.39.0	Null	Unknown License
ipython	9.14.1	Null	Unknown License
joserfc	1.7.1	Null	Unknown License
jupyter-client	8.9.1	Null	Unknown License
jupyter-lsp	2.3.1	Null	Unknown License
jupyter-server	2.19.0	Null	Unknown License
jupyterlab	4.5.8	Null	Unknown License
matplotlib-inline	0.2.2	Null	Unknown License
mistune	3.2.1	Null	Unknown License
mkdocs-autorefs	1.4.4	Null	Unknown License
mkdocs-gen-files	0.6.1	Null	Unknown License
mkdocs-get-deps	0.2.2	Null	Unknown License
mkdocs-git-revision-date-localized-plugin	1.5.3	Null	Unknown License
mkdocs-material	9.7.6	Null	Unknown License
mkdocs-section-index	0.3.12	Null	Unknown License
mkdocstrings	1.0.4	Null	Unknown License
mkdocstrings-python	2.0.4	Null	Unknown License
msgpack	1.2.0	Null	Unknown License
nbclient	0.11.0	Null	Unknown License
nbconvert	7.17.1	Null	Unknown License
nodejs-wheel-binaries	24.16.0	Null	Unknown License
notebook	7.5.7	Null	Unknown License
nox	2026.4.10	Null	Unknown License
nox-uv	0.8.0	Null	Unknown License
pathspec	1.1.1	Null	Unknown License
pip	26.1.2	Null	Unknown License
pip-audit	2.10.1	Null	Unknown License
platformdirs	4.10.0	Null	Unknown License
properdocs	1.6.7	Null	Unknown License
proto-plus	1.28.0	Null	Unknown License
protobuf	7.35.1	Null	Unknown License
pydoclint	0.8.6	Null	Unknown License
pymdown-extensions	10.21.3	Null	Unknown License
pytest	9.1.0	Null	Unknown License
pytest-asyncio	1.4.0	Null	Unknown License
python-discovery	1.4.2	Null	Unknown License
python-frontmatter	1.3.0	Null	Unknown License
python-json-logger	4.1.0	Null	Unknown License
pywinpty	3.0.5	Null	Unknown License
redis	8.0.0	Null	Unknown License
respx	0.23.1	Null	Unknown License
rpds-py	2026.5.1	Null	Unknown License
ruamel-yaml	0.19.1	Null	Unknown License
ruff	0.15.17	Null	Unknown License
safety	3.8.1	Null	Unknown License
soupsieve	2.8.4	Null	Unknown License
starlette	1.3.1	Null	Unknown License
stevedore	5.8.0	Null	Unknown License
structlog	26.1.0	Null	Unknown License
tomlkit	0.15.0	Null	Unknown License
tornado	6.5.7	Null	Unknown License
tqdm	4.68.2	Null	Unknown License
traitlets	5.15.1	Null	Unknown License
virtualenv	21.5.0	Null	Unknown License
vulture	2.16	Null	Unknown License
wcwidth	0.8.1	Null	Unknown License
bleach	6.4.0	Null	Unknown License
jedi	0.20.0	Null	Unknown License
parso	0.8.7	Null	Unknown License

Allowed Licenses:
MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, MPL-2.0, LGPL-2.1, LGPL-3.0, Python-2.0, Unlicense, CC0-1.0, GPL-3.0-or-later

OpenSSF Scorecard

Scorecard details

Package

Version

Score

Details

pip/anyio

4.13.0

Unknown

pip/async-lru

2.3.0

🟢 6.9

Details

Check	Score	Reason
Code-Review	🟢 7	Found 6/8 approved changesets -- score normalized to 7
Maintained	🟢 10	22 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts	🟢 10	no binaries found in the repo
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	🟢 8	5 out of the last 5 releases have a total of 5 signed artifacts.
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	🟢 10	security policy file detected
Packaging	🟢 10	packaging workflow detected
SAST	🟢 10	SAST tool is run on all commits

pip/attrs

26.1.0

Unknown

pip/authlib

1.7.2

Unknown

pip/babel

2.18.0

Unknown

pip/backrefs

7.0

Unknown

pip/bandit

1.9.4

Unknown

pip/basedpyright

1.39.8

Unknown

pip/beautifulsoup4

4.15.0

Unknown

pip/bleach

6.4.0

🟢 6

Details

Check	Score	Reason
Code-Review	⚠️ 0	Found 0/17 approved changesets -- score normalized to 0
Packaging	⚠️ -1	packaging workflow not detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Security-Policy	🟢 10	security policy file detected
Maintained	🟢 10	15 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 4	dependency not pinned by hash detected -- score normalized to 4
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	🟢 10	project is fuzzed
License	🟢 9	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/certifi

2026.5.20

🟢 5.9

Details

Check	Score	Reason
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Security-Policy	🟢 10	security policy file detected
Maintained	🟢 8	9 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 8
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	⚠️ 0	Found 0/2 approved changesets -- score normalized to 0
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies	🟢 5	dependency not pinned by hash detected -- score normalized to 5
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 9	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
Packaging	🟢 10	packaging workflow detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/charset-normalizer

3.4.7

Unknown

pip/click

8.4.1

Unknown

pip/cloudflare

5.3.0

Unknown

pip/coverage

7.14.1

Unknown

pip/cryptography

49.0.0

Unknown

pip/cyclonedx-python-lib

11.10.0

Unknown

pip/debugpy

1.8.21

Unknown

pip/decorator

5.3.1

Unknown

pip/distlib

0.4.3

Unknown

pip/fastapi

0.137.0

Unknown

pip/filelock

3.29.4

Unknown

pip/gitpython

3.1.50

🟢 7.7

Details

Check	Score	Reason
Code-Review	🟢 6	Found 4/6 approved changesets -- score normalized to 6
Security-Policy	🟢 10	security policy file detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	🟢 9	detected GitHub workflow tokens with excessive permissions
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	🟢 10	project is fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 3	branch protection is not maximal on development and all release branches
SAST	🟢 10	SAST tool is run on all commits

pip/google-api-core

2.31.0

Unknown

pip/google-auth

2.54.0

Unknown

pip/google-cloud-core

2.6.0

🟢 6.9

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
License	🟢 10	license file detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Signed-Releases	⚠️ -1	no releases found
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Fuzzing	🟢 10	project is fuzzed
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0

pip/google-cloud-storage

3.12.0

Unknown

pip/google-crc32c

1.8.0

🟢 7.2

Details

Check	Score	Reason
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Security-Policy	🟢 10	security policy file detected
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
Code-Review	🟢 10	all changesets reviewed
Packaging	⚠️ -1	packaging workflow not detected
Maintained	⚠️ 0	project is archived
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies	⚠️ 2	dependency not pinned by hash detected -- score normalized to 2
Fuzzing	🟢 10	project is fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
SAST	⚠️ 2	SAST tool is not run on all commits -- score normalized to 2

pip/google-genai

2.8.0

Unknown

pip/google-resumable-media

2.10.0

🟢 6.9

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	🟢 10	security policy file detected
License	🟢 10	license file detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Signed-Releases	⚠️ -1	no releases found
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Fuzzing	🟢 10	project is fuzzed
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0

pip/googleapis-common-protos

1.75.0

Unknown

pip/griffe-pydantic

1.3.1

Unknown

pip/griffelib

2.0.2

Unknown

pip/hiredis

3.4.0

🟢 5

Details

Check	Score	Reason
Maintained	🟢 7	9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7
Binary-Artifacts	🟢 10	no binaries found in the repo
Code-Review	🟢 3	Found 10/28 approved changesets -- score normalized to 3
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
Packaging	⚠️ -1	packaging workflow not detected
Fuzzing	🟢 10	project is fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/humanize

4.15.0

Unknown

pip/hypothesis

6.155.2

Unknown

pip/identify

2.6.19

🟢 5.9

Details

Check	Score	Reason
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	🟢 8	Found 12/15 approved changesets -- score normalized to 8
Maintained	🟢 10	15 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Fuzzing	⚠️ 0	project is not fuzzed
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	🟢 10	security policy file detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/idna

3.18

Unknown

pip/ipykernel

7.3.0

Unknown

pip/ipython

8.39.0

Unknown

pip/ipython

9.14.1

Unknown

pip/jedi

0.20.0

🟢 5

Details

Check	Score	Reason
Maintained	🟢 10	30 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	⚠️ 0	Found 0/4 approved changesets -- score normalized to 0
Security-Policy	🟢 10	security policy file detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 9	binaries present in source code
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Fuzzing	🟢 10	project is fuzzed
Signed-Releases	⚠️ -1	no releases found
License	🟢 9	license file detected
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/joblib

1.5.3

Unknown

pip/joserfc

1.7.1

Unknown

pip/json5

0.14.0

Unknown

pip/jsonpointer

3.1.1

🟢 4.6

Details

Check	Score	Reason
Code-Review	🟢 5	Found 4/7 approved changesets -- score normalized to 5
Maintained	🟢 10	13 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
License	🟢 9	license file detected
Branch-Protection	🟢 3	branch protection is not maximal on development and all release branches
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/jsonschema

4.26.0

Unknown

pip/jupyter-client

8.9.1

Unknown

pip/jupyter-events

0.12.1

Unknown

pip/jupyter-lsp

2.3.1

Unknown

pip/jupyter-server

2.19.0

Unknown

pip/jupyter-server-terminals

0.5.4

Unknown

pip/jupyterlab

4.5.8

Unknown

pip/markdown

3.10.2

Unknown

pip/markdown-it-py

4.2.0

Unknown

pip/marshmallow

4.3.0

Unknown

pip/matplotlib-inline

0.2.2

Unknown

pip/mistune

3.2.1

Unknown

pip/mkdocs-autorefs

1.4.4

Unknown

pip/mkdocs-gen-files

0.6.1

Unknown

pip/mkdocs-get-deps

0.2.2

Unknown

pip/mkdocs-git-revision-date-localized-plugin

1.5.3

Unknown

pip/mkdocs-material

9.7.6

Unknown

pip/mkdocs-section-index

0.3.12

Unknown

pip/mkdocstrings

1.0.4

Unknown

pip/mkdocstrings-python

2.0.4

Unknown

pip/msgpack

1.2.0

Unknown

pip/nbclient

0.11.0

Unknown

pip/nbconvert

7.17.1

Unknown

pip/nest-asyncio2

1.7.2

Unknown

pip/nltk

3.9.4

Unknown

pip/nodeenv

1.10.0

⚠️ 2.8

Details

Check	Score	Reason
Maintained	⚠️ 0	0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Binary-Artifacts	🟢 10	no binaries found in the repo
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	⚠️ 1	Found 5/30 approved changesets -- score normalized to 1
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Security-Policy	⚠️ 0	security policy file not detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 9	license file detected
Signed-Releases	⚠️ -1	no releases found
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches

pip/nodejs-wheel-binaries

24.16.0

Unknown

pip/notebook

7.5.7

Unknown

pip/nox

2026.4.10

Unknown

pip/nox-uv

0.8.0

Unknown

pip/packaging

26.2

Unknown

pip/parso

0.8.7

🟢 4.9

Details

Check	Score	Reason
Maintained	🟢 3	3 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 3
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Security-Policy	🟢 10	security policy file detected
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	🟢 5	Found 7/13 approved changesets -- score normalized to 5
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	🟢 10	project is fuzzed
License	🟢 9	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/pathspec

1.1.1

Unknown

pip/pip

26.1.2

Unknown

pip/pip-audit

2.10.1

Unknown

pip/platformdirs

4.10.0

Unknown

pip/pre-commit

4.6.0

🟢 4.6

Details

Check	Score	Reason
Packaging	⚠️ -1	packaging workflow not detected
Code-Review	⚠️ 1	Found 1/7 approved changesets -- score normalized to 1
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 10	19 commit(s) and 23 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Binary-Artifacts	🟢 10	no binaries found in the repo
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
License	🟢 10	license file detected
Signed-Releases	⚠️ 0	Project has not signed or included provenance with any releases.
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	🟢 10	security policy file detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/prometheus-client

0.25.0

Unknown

pip/properdocs

1.6.7

Unknown

pip/proto-plus

1.28.0

Unknown

pip/protobuf

7.35.1

Unknown

pip/psutil

7.2.2

Unknown

pip/pyasn1

0.6.3

Unknown

pip/pycparser

3.0

Unknown

pip/pydantic

2.13.4

Unknown

pip/pydantic-core

2.46.4

🟢 7.4

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Maintained	🟢 10	30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Token-Permissions	⚠️ 0	detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies	🟢 8	dependency not pinned by hash detected -- score normalized to 8
License	🟢 10	license file detected
Fuzzing	🟢 10	project is fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	🟢 4	branch protection is not maximal on development and all release branches
Security-Policy	🟢 10	security policy file detected
Packaging	🟢 10	packaging workflow detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/pydantic-settings

2.14.1

Unknown

pip/pydoclint

0.8.6

Unknown

pip/pygments

2.20.0

Unknown

pip/pyjwt

2.13.0

Unknown

pip/pymdown-extensions

10.21.3

Unknown

pip/pyparsing

3.3.2

Unknown

pip/pytest

9.1.0

Unknown

pip/pytest-asyncio

1.4.0

Unknown

pip/pytest-cov

7.1.0

Unknown

pip/python-discovery

1.4.2

Unknown

pip/python-dotenv

1.2.2

Unknown

pip/python-frontmatter

1.3.0

Unknown

pip/python-json-logger

4.1.0

Unknown

pip/pywinpty

3.0.5

Unknown

pip/redis

8.0.0

Unknown

pip/regex

2026.5.9

Unknown

pip/requests

2.34.2

Unknown

pip/respx

0.23.1

Unknown

pip/rich

15.0.0

Unknown

pip/rpds-py

2026.5.1

Unknown

pip/ruamel-yaml

0.19.1

Unknown

pip/ruff

0.15.17

Unknown

pip/safety

3.8.1

Unknown

pip/send2trash

2.1.0

Unknown

pip/setuptools

82.0.1

Unknown

pip/smmap

5.0.3

🟢 5.2

Details

Check	Score	Reason
Code-Review	🟢 6	Found 6/10 approved changesets -- score normalized to 6
Packaging	⚠️ -1	packaging workflow not detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	⚠️ 0	0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Security-Policy	🟢 9	security policy file detected
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
Token-Permissions	🟢 10	GitHub workflow tokens follow principle of least privilege
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ 0	branch protection not enabled on development/release branches
SAST	🟢 3	SAST tool is not run on all commits -- score normalized to 3

pip/soupsieve

2.8.4

Unknown

pip/starlette

1.3.1

Unknown

pip/stevedore

5.8.0

Unknown

pip/structlog

26.1.0

Unknown

pip/tabulate

0.10.0

Unknown

pip/tenacity

9.1.4

🟢 5.9

Details

Check	Score	Reason
Code-Review	🟢 10	all changesets reviewed
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Maintained	🟢 3	3 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 3
Token-Permissions	🟢 9	detected GitHub workflow tokens with excessive permissions
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	⚠️ 0	dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Fuzzing	⚠️ 0	project is not fuzzed
License	🟢 10	license file detected
Signed-Releases	⚠️ -1	no releases found
Packaging	🟢 10	packaging workflow detected
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	⚠️ 0	security policy file not detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/tinycss2

1.5.1

Unknown

pip/tomli

2.4.1

Unknown

pip/tomlkit

0.15.0

Unknown

pip/tornado

6.5.7

Unknown

pip/tqdm

4.68.2

Unknown

pip/traitlets

5.15.1

Unknown

pip/truststore

0.10.4

Unknown

pip/typer

0.25.1

Unknown

pip/tzdata

2026.2

🟢 7.3

Details

Check	Score	Reason
Maintained	🟢 10	14 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow	🟢 10	no dangerous workflow patterns detected
Code-Review	🟢 7	Found 18/23 approved changesets -- score normalized to 7
Token-Permissions	🟢 9	detected GitHub workflow tokens with excessive permissions
CII-Best-Practices	⚠️ 0	no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts	🟢 10	no binaries found in the repo
Pinned-Dependencies	🟢 4	dependency not pinned by hash detected -- score normalized to 4
License	🟢 9	license file detected
Fuzzing	⚠️ 0	project is not fuzzed
Signed-Releases	⚠️ -1	no releases found
Branch-Protection	⚠️ -1	internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy	🟢 10	security policy file detected
Packaging	🟢 10	packaging workflow detected
SAST	⚠️ 0	SAST tool is not run on all commits -- score normalized to 0

pip/urllib3

2.7.0

Unknown

pip/virtualenv

21.5.0

Unknown

pip/vulture

2.16

Unknown

pip/wcwidth

0.8.1

Unknown

pip/websockets

16.0

Unknown

Scanned Files

uv.lock

sonarqubecloud · 2026-06-15T05:14:18Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

socket-security · 2026-06-15T05:14:20Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	License
	hypothesis@6.148.6 ⏵ 6.155.2	^-2		^-30
	safety@3.7.0 ⏵ 3.8.1	⁺²
	google-genai@1.55.0 ⏵ 2.8.0	^-3
	pytest@9.0.1 ⏵ 9.1.0	⁺¹	⁺²
	google-auth@2.43.0 ⏵ 2.54.0	^-5
	mkdocs-material@9.7.0 ⏵ 9.7.6	⁺¹
	google-cloud-storage@3.6.0 ⏵ 3.12.0	^-2
	pre-commit@4.5.0 ⏵ 4.6.0	⁺¹
	bandit@1.9.2 ⏵ 1.9.4	⁺¹
	nox@2025.11.12 ⏵ 2026.4.10	⁺¹
	ipykernel@7.1.0 ⏵ 7.3.0
	pip-audit@2.10.0 ⏵ 2.10.1	⁺¹
	rich@14.2.0 ⏵ 15.0.0	⁺¹
	redis@7.1.0 ⏵ 8.0.0
	cloudflare@4.3.1 ⏵ 5.3.0
	python-frontmatter@1.1.0 ⏵ 1.3.0	^-1
	python-dotenv@1.2.1 ⏵ 1.2.2	⁺¹	⁺²
	basedpyright@1.35.0 ⏵ 1.39.8	⁺¹
	mkdocs-gen-files@0.6.0 ⏵ 0.6.1	⁺¹
	google-api-core@2.28.1 ⏵ 2.31.0
	pydantic@2.12.5 ⏵ 2.13.4	⁺¹
	vulture@2.14 ⏵ 2.16
	starlette@0.50.0 ⏵ 1.3.1		⁺²
	ruamel-yaml@0.18.16 ⏵ 0.19.1
	cryptography@46.0.3 ⏵ 49.0.0		⁺¹⁸
	pytest-cov@7.0.0 ⏵ 7.1.0
	ruff@0.14.8 ⏵ 0.15.17	⁺¹
	mkdocs-git-revision-date-localized-plugin@1.5.0 ⏵ 1.5.3	⁺¹
	fastapi@0.123.8 ⏵ 0.137.0
	pytest-asyncio@1.3.0 ⏵ 1.4.0	⁺¹
	mkdocs-section-index@0.3.10 ⏵ 0.3.12	⁺¹
See 9 more rows in the dashboard

View full report

socket-security · 2026-06-15T05:14:21Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Obfuscated code: pypi `jupyterlab` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/jupyter@1.1.1` → `pypi/jupyterlab@4.5.8` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/jupyterlab@4.5.8`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `nltk` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/safety@3.8.1` → `pypi/nltk@3.9.4` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/nltk@3.9.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `nltk` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/safety@3.8.1` → `pypi/nltk@3.9.4` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/nltk@3.9.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `nodejs-wheel-binaries` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/basedpyright@1.39.8` → `pypi/nodejs-wheel-binaries@24.16.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `nodejs-wheel-binaries` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/basedpyright@1.39.8` → `pypi/nodejs-wheel-binaries@24.16.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `nodejs-wheel-binaries` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/basedpyright@1.39.8` → `pypi/nodejs-wheel-binaries@24.16.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `nodejs-wheel-binaries` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/basedpyright@1.39.8` → `pypi/nodejs-wheel-binaries@24.16.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `nodejs-wheel-binaries` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/basedpyright@1.39.8` → `pypi/nodejs-wheel-binaries@24.16.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `nodejs-wheel-binaries` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/basedpyright@1.39.8` → `pypi/nodejs-wheel-binaries@24.16.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `nodejs-wheel-binaries` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/basedpyright@1.39.8` → `pypi/nodejs-wheel-binaries@24.16.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `nodejs-wheel-binaries` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/basedpyright@1.39.8` → `pypi/nodejs-wheel-binaries@24.16.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `nodejs-wheel-binaries` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/basedpyright@1.39.8` → `pypi/nodejs-wheel-binaries@24.16.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `nodejs-wheel-binaries` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/basedpyright@1.39.8` → `pypi/nodejs-wheel-binaries@24.16.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `nodejs-wheel-binaries` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/basedpyright@1.39.8` → `pypi/nodejs-wheel-binaries@24.16.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `nodejs-wheel-binaries` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/basedpyright@1.39.8` → `pypi/nodejs-wheel-binaries@24.16.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `nodejs-wheel-binaries` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/basedpyright@1.39.8` → `pypi/nodejs-wheel-binaries@24.16.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `nodejs-wheel-binaries` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/basedpyright@1.39.8` → `pypi/nodejs-wheel-binaries@24.16.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `nodejs-wheel-binaries` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/basedpyright@1.39.8` → `pypi/nodejs-wheel-binaries@24.16.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `nodejs-wheel-binaries` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/basedpyright@1.39.8` → `pypi/nodejs-wheel-binaries@24.16.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/nodejs-wheel-binaries@24.16.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `pycparser` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/ipykernel@7.3.0` → `pypi/cryptography@49.0.0` → `pypi/jupyter@1.1.1` → `pypi/pycparser@3.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pycparser@3.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: pypi `pycparser` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: uv.lock → `pypi/ipykernel@7.3.0` → `pypi/cryptography@49.0.0` → `pypi/jupyter@1.1.1` → `pypi/pycparser@3.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pycparser@3.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

codecov · 2026-06-15T05:15:17Z

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

github-advanced-security · 2026-06-15T05:15:20Z

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

chore(deps): Update

3e7471f

Copilot AI review requested due to automatic review settings June 15, 2026 05:13

williaby added dependencies lock-file-maintenance labels Jun 15, 2026

Copilot AI reviewed Jun 15, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): Update#52

chore(deps): Update#52
williaby wants to merge 1 commit into
mainfrom
renovate/lock-file-maintenance

williaby commented Jun 15, 2026

Uh oh!

Copilot AI left a comment

Uh oh!

coderabbitai Bot commented Jun 15, 2026

Review skipped

Uh oh!

github-actions Bot commented Jun 15, 2026

Uh oh!

sonarqubecloud Bot commented Jun 15, 2026

Uh oh!

socket-security Bot commented Jun 15, 2026

Uh oh!

socket-security Bot commented Jun 15, 2026

Uh oh!

codecov Bot commented Jun 15, 2026

Uh oh!

github-advanced-security AI commented Jun 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Conversation

williaby commented Jun 15, 2026

Summary

Why

Changes

Impact

Acceptance Criteria

Testing

Notes

Configuration

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot commented Jun 15, 2026

Review skipped

Uh oh!

github-actions Bot commented Jun 15, 2026

Dependency Review

License Issues

uv.lock

OpenSSF Scorecard

Scanned Files

Uh oh!

sonarqubecloud Bot commented Jun 15, 2026

Quality Gate passed

Uh oh!

socket-security Bot commented Jun 15, 2026

Uh oh!

socket-security Bot commented Jun 15, 2026

Uh oh!

codecov Bot commented Jun 15, 2026

Codecov Report

Uh oh!

github-advanced-security AI commented Jun 15, 2026

What Enabling Code Scanning Means:

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants