deps: bump all dependencies to latest versions

[GeiserX]

Summary

• Bumps all production and dev dependencies to their latest versions in a single PR
• Supersedes individual dependabot PRs deps: update minify-html requirement from >=0.18.0 to >=0.18.1 in /config #10, deps: update lxml requirement from >=4.9.0 to >=4.9.4 in /config #11, deps: update pillow requirement from >=10.0.0 to >=10.4.0 in /config #12, deps: update urllib3 requirement from >=2.0.0 to >=2.6.3 in /config #13, deps: update python-dotenv requirement from >=1.0.0 to >=1.2.1 in /config #14, deps: update pytest requirement from >=7.4.0 to >=7.4.4 in /config #15, deps: update rjsmin requirement from >=1.2.2 to >=1.2.5 in /config #16, deps: update mypy requirement from >=1.5.0 to >=1.19.1 in /config #17, deps: update black requirement from >=23.7.0 to >=23.12.1 in /config #18, deps: update pytest-mock requirement from >=3.11.1 to >=3.15.1 in /config #19

Production deps (config/requirements.txt)

Package	Old	New
requests	>=2.31.0	>=2.32.5
beautifulsoup4	>=4.12.0	>=4.14.3
minify-html	>=0.18.0	>=0.18.1
rjsmin	>=1.2.2	>=1.2.5
Pillow	>=10.0.0	>=11.2.1
lxml	>=4.9.0	>=5.4.0
urllib3	>=2.0.0	>=2.6.3
python-dotenv	>=1.0.0	>=1.2.1
cssmin	>=0.2.0	>=0.2.0 (unchanged)

Dev deps (config/requirements-dev.txt)

Package	Old	New
pytest	>=7.4.0	>=8.3.5
pytest-mock	>=3.11.1	>=3.15.1
black	>=23.7.0	>=25.1.0
mypy	>=1.5.0	>=1.15.0

Test plan

• CI passes on Python 3.9, 3.10, 3.11
• All existing tests pass with bumped dependencies

Summary by CodeRabbit

• Chores
  • Updated all dependencies to latest compatible versions for improved stability and security.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates minimum version constraints for development and production dependencies across two configuration files. config/requirements-dev.txt bumps pytest, pytest-mock, black, and mypy. config/requirements.txt updates eight production dependencies including requests, beautifulsoup4, Pillow, lxml, urllib3, and others.

Changes

Cohort / File(s)	Summary
Development Dependencies config/requirements-dev.txt	Version bumps: pytest (≥7.4.0 → ≥8.3.5), pytest-mock (≥3.11.1 → ≥3.15.1), black (≥23.7.0 → ≥25.1.0), mypy (≥1.5.0 → ≥1.15.0).
Production Dependencies config/requirements.txt	Version floor increases: requests (≥2.31.0 → ≥2.32.5), beautifulsoup4 (≥4.12.0 → ≥4.14.3), minify-html (≥0.18.0 → ≥0.18.1), rjsmin (≥1.2.2 → ≥1.2.5), Pillow (≥10.0.0 → ≥11.2.1), lxml (≥4.9.0 → ≥5.4.0), urllib3 (≥2.0.0 → ≥2.6.3), python-dotenv (≥1.0.0 → ≥1.2.1).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: bumping all dependencies to their latest versions across both production and development requirements files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch deps/bump-all-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@config/requirements.txt`:
- Line 6: Update the Pillow dependency line in requirements.txt (the entry
"Pillow>=11.2.1") to require at least version 12.2.0 (e.g., change to
"Pillow>=12.2.0") so the project pulls a release that includes fixes for
CVE-2025-48379, CVE-2026-25990 and CVE-2026-40192; ensure the updated version
constraint is committed to the same requirements.txt entry.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4fef99ae-172a-4f32-b3b4-12d9452c28b2

📥 Commits

Reviewing files that changed from the base of the PR and between 18d6cb1 and 571376c.

📒 Files selected for processing (2)

• config/requirements-dev.txt
• config/requirements.txt

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify advisory ranges for Pillow directly from OSV (read-only, no repo access needed)
set -euo pipefail

curl -s https://api.osv.dev/v1/query -H 'Content-Type: application/json' -d '{
  "package": {"name":"Pillow","ecosystem":"PyPI"},
  "version":"11.2.1"
}' | jq '.vulns[] | {id, summary, aliases, affected: [.affected[]?.ranges[]?.events[]?]}'

Repository: GeiserX/Wayback-Archive

Length of output: 1338

---

🌐 Web query:

CVE-2025-48379 Pillow severity

💡 Result:

The severity of CVE-2025-48379 in Pillow is rated as HIGH by the CVE Numbering Authority (CNA, GitHub) with CVSS 3.1 base score 7.1 (Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), and MEDIUM by NIST NVD with CVSS 3.1 base score 5.5 (Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N). This heap buffer overflow occurs when writing large (>64KB) compressed DDS images due to insufficient buffer space checks, affecting Pillow versions 11.2.0 to before 11.3.0. It was fixed in 11.3.0.

Citations:

• 1: https://nvd.nist.gov/vuln/detail/CVE-2025-48379
• 2: https://nvd.nist.gov/vuln/detail/cve-2025-48379
• 3: https://pillow.readthedocs.io/en/latest/%5Fsources/releasenotes/11.3.0.rst.txt
• 4: https://vulert.com/vuln-db/CVE-2025-48379
• 5: https://advisories.gitlab.com/pkg/pypi/pillow/CVE-2025-48379

---

🌐 Web query:

CVE-2026-25990 Pillow PSD severity

💡 Result:

CVE-2026-25990 is an out-of-bounds write vulnerability in the Pillow Python imaging library when loading specially crafted PSD images. It affects versions from 10.3.0 to before 12.1.1 and was fixed in 12.1.1. Severity ratings vary by CVSS version: - CVSS v3.1 (NVD): Base Score 7.5 (HIGH), Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - CVSS v4.0 (GitHub/CNA): Base Score 8.9 (HIGH), Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P - CVSS v4.0 (Tenable): Base Score 9.3 (CRITICAL), Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Citations:

• 1: https://nvd.nist.gov/vuln/detail/CVE-2026-25990
• 2: https://www.tenable.com/cve/CVE-2026-25990
• 3: https://nvd.nist.gov/vuln/detail/cve-2026-25990
• 4: https://explore.alas.aws.amazon.com/CVE-2026-25990.html
• 5: https://vulert.com/vuln-db/CVE-2026-25990
• 6: https://www.sentinelone.com/vulnerability-database/cve-2026-25990/
• 7: https://vulert.com/vuln-db/pillow-pillow-out-of-bounds-write-via-specially-crafted-psd-image
• 8: https://osv.dev/vulnerability/CVE-2026-25990

---

🌐 Web query:

CVE-2026-40192 Pillow FITS GZIP severity

💡 Result:

The severity of CVE-2026-40192, a vulnerability in the Pillow Python imaging library related to FITS GZIP decompression bombs, is rated as HIGH. The NVD lists a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and a CVSS v4.0 base score of 7.5 (HIGH) with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. The GitHub security advisory also rates it as High. It affects Pillow versions 10.3.0 through 12.1.1, allowing denial of service via unbounded memory consumption from specially crafted FITS files. Fixed in 12.2.0.

Citations:

• 1: https://nvd.nist.gov/vuln/detail/CVE-2026-40192
• 2: GHSA-whj4-6x5x-4v2j

---

Bump Pillow to 12.2.0 or later to address multiple HIGH vulnerabilities.

Pillow 11.2.1 is affected by at least three HIGH-severity vulnerabilities:

• CVE-2025-48379 (buffer overflow in DDS encoding; fixed in 11.3.0)
• CVE-2026-25990 (out-of-bounds write in PSD parsing; fixed in 12.1.1)
• CVE-2026-40192 (decompression bomb in FITS; fixed in 12.2.0)

Update to 12.2.0 or later to address all three.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/requirements.txt` at line 6, Update the Pillow dependency line in
requirements.txt (the entry "Pillow>=11.2.1") to require at least version 12.2.0
(e.g., change to "Pillow>=12.2.0") so the project pulls a release that includes
fixes for CVE-2025-48379, CVE-2026-25990 and CVE-2026-40192; ensure the updated
version constraint is committed to the same requirements.txt entry.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.59%. Comparing base (18d6cb1) to head (571376c).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #20   +/-   ##
=======================================
  Coverage   90.59%   90.59%           
=======================================
  Files           5        5           
  Lines        1425     1425           
=======================================
  Hits         1291     1291           
  Misses        134      134           

Flag	Coverage Δ
unittests	90.59% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.