From 0984f726331d3c13c91972151ef8ada997067898 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 8 Jun 2026 09:54:01 +0000
Subject: [PATCH 1/2] Bump astral-sh/setup-uv from 8.1.0 to 8.2.0

Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 8.1.0 to 8.2.0.
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](https://github.com/astral-sh/setup-uv/compare/08807647e7069bb48b6ef5acd8ec9567f424441b...fac544c07dec837d0ccb6301d7b5580bf5edae39)

---
updated-dependencies:
- dependency-name: astral-sh/setup-uv
  dependency-version: 8.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/code_checks.yml | 2 +-
 .github/workflows/publish.yml     | 2 +-
 .github/workflows/unit_tests.yml  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/code_checks.yml b/.github/workflows/code_checks.yml
index b6248f9..687f169 100644
--- a/.github/workflows/code_checks.yml
+++ b/.github/workflows/code_checks.yml
@@ -32,7 +32,7 @@ jobs:
       - uses: actions/checkout@v6.0.2
 
       - name: Install uv
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b
+        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39
         with:
           # Install a specific version of uv.
           version: "0.9.22"
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index eed7e87..768bd32 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -22,7 +22,7 @@ jobs:
       - uses: actions/checkout@v6.0.2
 
       - name: Install uv
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b
+        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39
         with:
           # Install a specific version of uv.
           version: "0.9.22"
diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
index 33d4557..ebca370 100644
--- a/.github/workflows/unit_tests.yml
+++ b/.github/workflows/unit_tests.yml
@@ -40,7 +40,7 @@ jobs:
       - uses: actions/checkout@v6.0.2
 
       - name: Install uv
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b
+        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39
         with:
           # Install a specific version of uv.
           version: "0.9.22"

From 1a2ef722a4643a48dac2a8ab0cf3cc08d279ad84 Mon Sep 17 00:00:00 2001
From: "aieng-bot[bot]" <aieng-bot@vectorinstitute.ai>
Date: Tue, 9 Jun 2026 01:02:34 +0000
Subject: [PATCH 2/2] chore: bump pip to 26.1.2 to fix PYSEC-2026-196

Bumps pip from 26.1.1 to 26.1.2 to address PYSEC-2026-196, which
involves pip treating console_scripts and gui_scripts as paths instead
of file names without sanitizing the resolved absolute path.

Co-authored-by: aieng-bot <aieng-bot@vectorinstitute.ai>
---
 pyproject.toml | 2 +-
 uv.lock        | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index f3232f6..2aa2b0b 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -53,7 +53,7 @@ dev = [
     "jupyter>=1.1.1",
     "jupyterlab>=4.5.7", # CVE-2026-42266/42557: extension allow-list bypass and command linker XSS fixed in 4.5.7
     "nbqa>=1.9.1",
-    "pip>=26.1", # Pinning version to address vulnerability GHSA-6vgw-5pg2-w6jp, CVE-2026-3219
+    "pip>=26.1.2", # Pinning version to address vulnerability GHSA-6vgw-5pg2-w6jp, CVE-2026-3219, PYSEC-2026-196
     "pip-audit>=2.9.0",
     "pre-commit>=4.2.0",
     "pytest>=9.0.3", # CVE-2025-71176: tmp dir privilege escalation fixed in 9.0.3
diff --git a/uv.lock b/uv.lock
index 050650c..67178d8 100644
--- a/uv.lock
+++ b/uv.lock
@@ -151,7 +151,7 @@ dev = [
     { name = "mypy", specifier = ">=1.19.0" },
     { name = "nbqa", specifier = ">=1.9.1" },
     { name = "pandas-stubs", specifier = ">=2.3.3.260113" },
-    { name = "pip", specifier = ">=26.1" },
+    { name = "pip", specifier = ">=26.1.2" },
     { name = "pip-audit", specifier = ">=2.9.0" },
     { name = "pre-commit", specifier = ">=4.2.0" },
     { name = "pytest", specifier = ">=9.0.3" },
@@ -4508,11 +4508,11 @@ wheels = [
 
 [[package]]
 name = "pip"
-version = "26.1.1"
+version = "26.1.2"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/b6/48/cb9b7a682f6fe01a4221e1728941dd4ac3cd9090a17db3779d6ff490b602/pip-26.1.1.tar.gz", hash = "sha256:d36762751d156a4ee895de8af39aa0abeeeb577f93a2eca6ab62467bbf0f8a78", size = 1840400, upload-time = "2026-05-04T19:02:21.248Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/01/91/47e7d486260f618783899587af63ccf7980fb60245c3e63dd4571c6b57ad/pip-26.1.2.tar.gz", hash = "sha256:f49cd134c61cf2fd75e0ce2676db03e4054504a5a4986d00f8299ae632dc4605", size = 1840799, upload-time = "2026-05-31T17:33:58.56Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/3a/eb/fea4d1d51c49832120f7f285d07306db3960f423a2612c6057caf3e8196f/pip-26.1.1-py3-none-any.whl", hash = "sha256:99cb1c2899893b075ff56e4ed0af55669a955b49ad7fb8d8603ecdaf4ed653fb", size = 1812777, upload-time = "2026-05-04T19:02:18.9Z" },
+    { url = "https://files.pythonhosted.org/packages/5d/95/6b5cb3461ea5673ba0995989746db58eb18b91b54dbf331e72f569540946/pip-26.1.2-py3-none-any.whl", hash = "sha256:382ff9f685ee3bc25864f820aa50505825f10f5458ffff07e30a6d96e5715cab", size = 1813144, upload-time = "2026-05-31T17:33:56.772Z" },
 ]
 
 [[package]]