sec: diskcache <=5.6.3 has unpatched CVE — monitor for upstream fix

[mrveiss]

Summary

diskcache in requirements.txt (root) has an open CVE with no patched version available upstream (Dependabot alert #278, dismissed 2026-04-04 as tolerable_risk).

Context

diskcache is pulled in as a transitive dependency. The vulnerable version range covers all published releases as of 2026-04-04.

Action

• Monitor the diskcache PyPI release page for a patched release
• When a fix is published: add an explicit diskcache>=<patched_version> pin to the relevant requirements file and close this issue
• If no fix within 90 days, audit whether diskcache is still actively used and consider replacing it

References

• Dependabot alert Code Quality Issues - 2,206 Problems Detected by Analytics Tool #278 (dismissed tolerable_risk 2026-04-04)