Principled-Evolution · kmadan · May 14, 2026 · May 14, 2026 · May 14, 2026
diff --git a/.github/workflows/aicertify-ci.yaml b/.github/workflows/aicertify-ci.yaml
@@ -9,6 +9,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   basic-checks:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
@@ -7,6 +7,9 @@ on:
     branches: [ main ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -14,7 +14,7 @@ repos:
         args: [--fix]
 
 -   repo: https://github.com/psf/black
-    rev: 25.1.0  # Will be updated to 25.1.0 after running pre-commit autoupdate
+    rev: 26.3.1  # Bumped to fix GHSA-3936-cmfr-pm3m (cache filename arbitrary write)
     hooks:
     -   id: black
         language_version: python3.12
diff --git a/aicertify/api/__init__.py b/aicertify/api/__init__.py
@@ -7,7 +7,6 @@
 
 import logging
 
-
 # Re-export public API from specialized modules
 from aicertify.api.core import load_contract, CustomJSONEncoder
 

diff --git a/aicertify/api/evaluators.py b/aicertify/api/evaluators.py
@@ -12,7 +12,6 @@
 from typing import Dict, List, Any, Optional, Union
 from datetime import datetime
 
-
 # Import models and evaluation components
 from aicertify.models.contract_models import AiCertifyContract, load_contract
 

diff --git a/aicertify/api/policy.py b/aicertify/api/policy.py
@@ -12,7 +12,6 @@
 from typing import Dict, List, Any, Optional, Union
 from datetime import datetime
 
-
 # Import models
 from aicertify.models.contract_models import AiCertifyContract
 

diff --git a/aicertify/api/reports.py b/aicertify/api/reports.py
@@ -10,7 +10,6 @@
 from typing import Dict, List, Any, Optional
 from datetime import datetime
 
-
 # Import core utilities
 from aicertify.api.core import _ensure_valid_evaluation_structure
 

diff --git a/aicertify/api/utils.py b/aicertify/api/utils.py
@@ -10,7 +10,6 @@
 from typing import Dict, Any, Optional
 from datetime import datetime
 
-
 # Import core utilities
 from aicertify.api.core import CustomJSONEncoder
 

diff --git a/aicertify/evaluators/api.py b/aicertify/evaluators/api.py
@@ -23,7 +23,6 @@
 from aicertify.models.evaluation import MetricValue
 from aicertify.models import Interaction, AiCertifyContract, ModelInfo
 
-
 # Configure logging
 logging.basicConfig(level=logging.INFO, format="%(levelname)s: %(message)s")
 logger = logging.getLogger(__name__)

diff --git a/aicertify/models/evaluation_models.py b/aicertify/models/evaluation_models.py
@@ -23,7 +23,6 @@
     create_compliance_input,
 )
 
-
 # Emit a deprecation warning when this module is imported
 warnings.warn(
     "The 'evaluation_models.py' module is deprecated and will be removed in a future release. "

diff --git a/aicertify/report_generation/flexible_extraction.py b/aicertify/report_generation/flexible_extraction.py
@@ -10,7 +10,6 @@
 import os
 from typing import Any, Callable, Dict, List, Optional
 
-
 # Import models from centralized location
 from aicertify.models.evaluation import MetricValue
 

diff --git a/aicertify/report_generation/report_models.py b/aicertify/report_generation/report_models.py
@@ -10,7 +10,6 @@
 from datetime import datetime
 from pydantic import BaseModel, Field
 
-
 # Re-export models from the centralized location
 from aicertify.models.report import (
     MetricGroup,

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -45,25 +45,25 @@ classifiers = [
 ]
 dependencies = [
     "langfair @ git+https://github.com/mantric/langfair-mantric.git@python-3.12-support",
-    "fastapi>=0.115.8,<0.116.0",
+    "fastapi>=0.119.0,<1.0",
     "uvicorn>=0.34.0,<0.35.0",
     "opa-python-client>=0.1.0",
     "requests>=2.33.0,<3.0.0",
     "python-dotenv>=1.2.2",
     "pandas>=2.2.0",
-    "langchain-openai>=0.0.5",
+    "langchain-openai>=0.3.0,<0.4",
     "pydantic-ai (>=0.0.24,<0.0.25)",
     "markdown (>=3.8.1,<4.0)",
     "reportlab (>=4.3.1,<5.0.0)",
     "yfinance (>=0.2.54,<0.3.0)",
-    "pytest (>=8.3.4,<9.0.0)",
+    "pytest (>=9.0.3,<10.0.0)",
     "datasets (>=3.3.2,<4.0.0)",
     "huggingface-hub (>=0.34.0,<1.0)",
     "deepeval (>=2.4.8,<3.0.0)",
     "colorlog (>=6.9.0,<7.0.0)",
     "pydantic (>=2.10.6,<3.0.0)",
     "rich (>=13.9.4,<14.0.0)",
-    "black (>=25.1.0,<26.0.0)",
+    "black (>=26.3.1,<27.0.0)",
     "h11>=0.14.0",
     "torch>=2.7.0",
     "transformers>=4.53.0",
@@ -79,16 +79,20 @@ dependencies = [
     "pillow>=12.2.0",              # 4 advisories (PSD OOB write, FITS GZIP bomb, font overflow)
     "pypdf>=6.10.2",               # 14 advisories (multiple RAM-exhaust, infinite-loop fixes)
     "nltk>=3.9.4",                 # 1 critical zip slip + 4 high (downloader path traversal, AFO, XSS)
-    "langchain-core>=0.3.85,<0.4",  # 1 critical serialization injection + 4 high; stay on 0.3.x stable
+    # LangChain ecosystem stays on 0.3.x because langfair-mantric pins langchain ^0.3.7.
+    # The 1.x advisories (langchain-core <1.2.22, langchain-text-splitters <1.1.2,
+    # langchain-openai <1.1.14) are upstream-blocked until langfair is updated to
+    # allow LangChain 1.x. Tracked separately.
+    "langchain-core>=0.3.85,<0.4",  # 1 critical serialization + 1 high (overly-broad load allowlists)
     "langchain>=0.3.30,<0.4",       # 1 high (unsafe deserialization); match langchain-core line
-    "langchain-text-splitters>=0.3.9,<0.4",  # 1 high XXE + SSRF in HTMLHeaderTextSplitter
+    "langchain-text-splitters>=0.3.9,<0.4",  # XXE fix on the 0.3.x line
     "langchain-community>=0.3.27,<0.4", # 1 high XXE
     "langsmith>=0.7.31",            # 1 high deserialization + token-redaction bypass
     "pyasn1>=0.6.3",                # 2 high DoS (unbounded recursion)
     "protobuf>=5.29.6,<6",          # 1 high JSON recursion depth bypass; pin to 5.x to avoid major bump
     "banks>=2.4.2",                # 1 critical RCE via Jinja2 SSTI
-    # starlette upgrade deferred — fastapi 0.115.x caps starlette<0.47;
-    # the range-header DoS (GHSA-7f5h-v6xp-fcq8) requires bumping fastapi too.
+    "starlette>=0.49.1",            # 1 high O(n^2) range-header DoS + 1 medium multipart DoS
+    "langchain-openai>=0.3.0,<0.4",     # 1 low SSRF (image token counting DNS rebinding bypass)
     "sentencepiece>=0.2.1",        # 1 high heap overflow
     "orjson>=3.11.6",              # 1 high unbounded recursion
     "brotli>=1.2.0",               # 1 high DoS
@@ -117,10 +121,10 @@ build-backend = "poetry.core.masonry.api"
 packages = [{ include = "aicertify" }]
 
 [tool.poetry.group.dev.dependencies]
-pytest-asyncio = "^0.25.3"
+pytest-asyncio = ">=1.0.0,<2.0.0"
 ruff = "^0.5.5"
 pre-commit = "^4.2.0"
-black = ">=25.1.0,<26.0.0"
+black = ">=26.3.1,<27.0.0"
 
 [tool.ruff]
 line-length = 88
Original file line number	Diff line number	Diff line change
Expand Up		@@ -7,7 +7,6 @@

		import logging


		# Re-export public API from specialized modules
		from aicertify.api.core import load_contract, CustomJSONEncoder

Expand Down