chore(docs): sync supply-chain record with pyproject after #531/#553 [PYSDK-114] (#605)

helmut-hoffer-von-ankershoffen · claude · web-flow · commit 3ee8ac2596b5 · 2026-04-27T10:08:24.000+02:00
The auditable record in SUPPLY_CHAIN_VULNERABILITIES.md and one inline annotation in pyproject.toml lagged behind reality after Renovate #531 (nicegui 3.9.0 -> 3.11.0, citing CVE-2026-39844) and Dependabot #553 (nbconvert 7.17.0 -> 7.17.1, citing CVE-2026-39377 + CVE-2026-39378) were merged. The lower bounds in pyproject.toml were correctly raised at merge time, so no consumer was exposed; the gap was purely in the reviewer-facing record. This is a record-keeping fix only: no version constraint changes, no uv.lock regeneration, no consumer-visible behaviour change. Every existing pyproject.toml lower bound is preserved. Discovered by the pysdk-audit-daily routine on 2026-04-27 during the clean-audit no-op path (Step 1b/1d.1 bot-PR walk). Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
diff --git a/SUPPLY_CHAIN_VULNERABILITIES.md b/SUPPLY_CHAIN_VULNERABILITIES.md
@@ -101,7 +101,7 @@ version.
 
 | Package | Constraint | Protects against | Severity | Applies to | Since |
 | --- | --- | --- | --- | --- | --- |
-| `nicegui[native]` | `>=3.9.0,<4` | [CVE-2026-21871](https://nvd.nist.gov/vuln/detail/CVE-2026-21871), [CVE-2026-21873](https://nvd.nist.gov/vuln/detail/CVE-2026-21873), [CVE-2026-21874](https://nvd.nist.gov/vuln/detail/CVE-2026-21874) (≥3.5.0); [CVE-2026-25516](https://nvd.nist.gov/vuln/detail/CVE-2026-25516) (≥3.7.0); [CVE-2026-27156](https://nvd.nist.gov/vuln/detail/CVE-2026-27156) (≥3.8.0); [CVE-2026-33332](https://nvd.nist.gov/vuln/detail/CVE-2026-33332) (≥3.9.0) | Medium | always | 2026-01-09 (≥3.5.0); 2026-04-24 raised to ≥3.9.0 |
+| `nicegui[native]` | `>=3.11.0,<4` | [CVE-2026-21871](https://nvd.nist.gov/vuln/detail/CVE-2026-21871), [CVE-2026-21873](https://nvd.nist.gov/vuln/detail/CVE-2026-21873), [CVE-2026-21874](https://nvd.nist.gov/vuln/detail/CVE-2026-21874) (≥3.5.0); [CVE-2026-25516](https://nvd.nist.gov/vuln/detail/CVE-2026-25516) (≥3.7.0); [CVE-2026-27156](https://nvd.nist.gov/vuln/detail/CVE-2026-27156) (≥3.8.0); [CVE-2026-33332](https://nvd.nist.gov/vuln/detail/CVE-2026-33332) (≥3.9.0); [CVE-2026-39844](https://nvd.nist.gov/vuln/detail/CVE-2026-39844) (≥3.10.0) | Medium | always | 2026-01-09 (≥3.5.0); 2026-04-24 raised to ≥3.9.0; 2026-04-26 raised to ≥3.11.0 (#531) |
 | `pyjwt[crypto]` | `>=2.12.0,<3` | [CVE-2026-32597](https://nvd.nist.gov/vuln/detail/CVE-2026-32597) | High | always | 2026-04-24 |
 | `requests` | `>=2.33.0,<3` | [CVE-2026-25645](https://nvd.nist.gov/vuln/detail/CVE-2026-25645) | Medium | always | 2026-03-26 |
 | `urllib3` | `>=2.6.3,<3` | [CVE-2026-21441](https://nvd.nist.gov/vuln/detail/CVE-2026-21441) | Medium | always | 2026-01-08 |
@@ -121,7 +121,7 @@ version.
 | `lxml-html-clean` | `>=0.4.4` | [CVE-2026-28348](https://nvd.nist.gov/vuln/detail/CVE-2026-28348), [CVE-2026-28350](https://nvd.nist.gov/vuln/detail/CVE-2026-28350) | Medium | always | 2026-04-24 |
 | `python-multipart` | `>=0.0.26` | [CVE-2026-24486](https://nvd.nist.gov/vuln/detail/CVE-2026-24486) (≥0.0.22); [CVE-2026-40347](https://nvd.nist.gov/vuln/detail/CVE-2026-40347) (≥0.0.26) | High | always | 2026-04-24 |
 | `protobuf` | `>=6.33.5` | [CVE-2026-0994](https://nvd.nist.gov/vuln/detail/CVE-2026-0994) | High | always | 2026-04-24 |
-| `nbconvert` | `>=7.17.1` | [CVE-2025-53000](https://nvd.nist.gov/vuln/detail/CVE-2025-53000) | High | with the `jupyter` extra | 2026-04-24 |
+| `nbconvert` | `>=7.17.1` | [CVE-2025-53000](https://nvd.nist.gov/vuln/detail/CVE-2025-53000) (≥7.17.0); [CVE-2026-39377](https://nvd.nist.gov/vuln/detail/CVE-2026-39377), [CVE-2026-39378](https://nvd.nist.gov/vuln/detail/CVE-2026-39378) (≥7.17.1) | High | with the `jupyter` extra | 2026-04-24 (≥7.17.1) |
 | `jupyter-core` | `>=5.8.1` | [CVE-2025-30167](https://nvd.nist.gov/vuln/detail/CVE-2025-30167) | High | with the `jupyter` extra | 2025-12-10 |
 | `jupyterlab` | `>=4.4.9` | [CVE-2025-59842](https://nvd.nist.gov/vuln/detail/CVE-2025-59842) | Low | with the `jupyter` extra | 2025-12-10 |
 | `marimo` | `>=0.23.0,<1` | [GHSA-2679-6mx9-h9xc](https://github.com/advisories/GHSA-2679-6mx9-h9xc) | Medium | with the `marimo` extra | 2026-04-24 |
diff --git a/pyproject.toml b/pyproject.toml
@@ -155,7 +155,7 @@ jupyter = [
     # WARNING: one cannot negate or downgrade a dependency required here. use override-dependencies for that.
     "jupyter-core>=5.8.1",              # CVE-2025-30167
     "jupyterlab>=4.4.9",                # CVE-2025-59842
-    "nbconvert>=7.17.1",                # CVE-2025-53000 (>=7.17.0, Dependabot #424); Dependabot #553 raised to 7.17.1
+    "nbconvert>=7.17.1",                # CVE-2025-53000 (>=7.17.0, Dependabot #424); CVE-2026-39377, CVE-2026-39378 (>=7.17.1, Dependabot #553)
 ]
 marimo = [
     "cloudpathlib>=0.23.0,<1",

Original file line number	Diff line number	Diff line change
`@@ -155,7 +155,7 @@ jupyter = [`
`155`	`155`	`# WARNING: one cannot negate or downgrade a dependency required here. use override-dependencies for that.`
`156`	`156`	`"jupyter-core>=5.8.1", # CVE-2025-30167`
`157`	`157`	`"jupyterlab>=4.4.9", # CVE-2025-59842`
`158`		`- "nbconvert>=7.17.1", # CVE-2025-53000 (>=7.17.0, Dependabot #424); Dependabot #553 raised to 7.17.1`
	`158`	`+ "nbconvert>=7.17.1", # CVE-2025-53000 (>=7.17.0, Dependabot #424); CVE-2026-39377, CVE-2026-39378 (>=7.17.1, Dependabot #553)`
`159`	`159`	`]`
`160`	`160`	`marimo = [`
`161`	`161`	`"cloudpathlib>=0.23.0,<1",`