cmdstanpy>=1.3.0,<2.0.0
# GHSA-58pv-8j8x-9vj2: Path traversal vulnerability in jaraco.context <6.1.0
# Note: Airflow 2.9.x constraints pin jaraco.context==5.3.0, creating a conflict
# when installing acryl-datahub with Airflow. The airflow-plugin uses a constraints
# override in CI to work around this. This constraint is safe for Docker images
# which don't coexist with Airflow's pinned dependencies.
jaraco.context>=6.1.0,<7
# urllib3: CVE-2025-66418, CVE-2025-66471, CVE-2026-21441 fixed in >=2.6.3.
# Not pinned here: acryl-great-expectations (via acryl-datahub[snowflake]) requires urllib3<1.27.
# PyJWT: CVE-2026-32597
PyJWT>=2.12.0
# pyOpenSSL: CVE-2026-27459
pyopenssl>=26.0.0
# pyasn1: CVE-2026-30922
pyasn1>=0.6.3
# protobuf (6.x): CVE-2026-0994
protobuf>=6.33.5,<7.0.0
# CVE-2025-30304, CVE-2025-32442: aiohttp request smuggling; keep current patch floor
# Note: Airflow 2.x constraints pin aiohttp==3.10.10 and 3.x pins 3.12.15, creating a
# conflict when installing acryl-datahub with Airflow. The airflow-plugin CI accepts the
# older version; this constraint is safe for Docker images which don't coexist with
# Airflow's pinned dependencies.
aiohttp>=3.13.4
pillow>=12.1.1
setuptools>=80.10.1
# JWE RSA1_5 padding oracle (CVE); fixed in 1.6.9
# GHSA-jj8c-mmj3-mmgv: OAuth cache CSRF; fixed in >=1.6.11
# Previous Docker minimum: authlib>=1.6.9
authlib>=1.6.11
werkzeug>=3.1.6
azure-core>=1.38.0
# CVE-2026-25087: Apache Arrow C++ Use After Free; fixed in pyarrow 23.0.1. Docker minimum.
pyarrow>=23.0.1
# Docker minimum; airflow-plugin accepts older filelock from Airflow 2.7.3+ constraints for compatibility.
filelock>=3.20.3
nbconvert>=7.17.0
pip>=26.0
wheel>=0.46.2
flask>=3.1.3
fonttools>=4.60.2
langchain-core>=1.2.22
python-multipart>=0.0.22
sqlparse>=0.5.4
starlette>=0.49.1
PyNaCl>=1.6.2
google-cloud-aiplatform>=1.133.0
langgraph>=1.0.10
langgraph-checkpoint>=4.0.0
langsmith>=0.6.3
# CVE-2026-41066: lxml 6.0.x default entity resolution; fixed in 6.1.0. Major cap until reviewed.
# (unstructured / HTML parsing; bundled venvs such as datahub-documents-bundled.)
lxml>=6.1.0,<7.0.0
# mlflow-skinny: CVE-2025-14287, CVE-2025-15031, CVE-2026-2033 (fixed >=3.9.0)
mlflow-skinny>=3.9.0,<4.0.0
# ujson: parsing huge out-of-range integers leaked memory in 5.4.0–5.11.0; indent handling
# DoS (GHSA-c8rr-9gxc-jprv) fixed in 5.12.0. Cap major until reviewed.
ujson>=5.12.0,<6
