From 1ebf4ea9069f72df23846dca73d1af893f869c3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tr=E1=BA=A7n=20=C4=90=E1=BB=A9c=20Tr=C3=AD?=
 <117420686+tridpt@users.noreply.github.com>
Date: Mon, 15 Jun 2026 07:40:22 +0700
Subject: [PATCH] chore(deps): raise minimum versions to patched releases
 (Pillow, python-multipart, Jinja2, fastapi) to clear Dependabot alerts

---
 backend/requirements.txt | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/backend/requirements.txt b/backend/requirements.txt
index 5dcf68e..d7cafe2 100644
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
@@ -1,6 +1,8 @@
-fastapi>=0.115.0
-uvicorn[standard]>=0.30.0
-python-multipart>=0.0.9
+# Web framework — starlette pulled transitively; floor raised to patched releases.
+fastapi>=0.115.6
+uvicorn[standard]>=0.30.6
+# python-multipart < 0.0.18 has a DoS CVE (GHSA-2jv5-9r88-3w3p / 59gj).
+python-multipart>=0.0.18
 youtube-transcript-api>=1.0.0
 google-genai>=1.0.0
 python-dotenv>=1.0.0
@@ -9,7 +11,9 @@ bcrypt>=4.0.0
 PyJWT>=2.0.0
 google-auth>=2.0.0
 psycopg2-binary>=2.9.0
-Pillow>=10.0.0
+# Pillow < 10.3 has multiple image-parsing CVEs (buffer overflow).
+Pillow>=10.3.0
+# Jinja2 < 3.1.5 has sandbox-escape / template CVEs.
+jinja2>=3.1.5
 pytest>=8.0.0
 pytest-asyncio>=0.24.0
-jinja2>=3.0.0