From 2ea150b51718a1dec8328cac43cfc0b5a6a177a7 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 13 Apr 2026 00:26:09 +0000
Subject: [PATCH 1/3] Update numpy requirement from <3,>=2.2 to >=2.2.6,<3

Updates the requirements on [numpy](https://github.com/numpy/numpy) to permit the latest version.
- [Release notes](https://github.com/numpy/numpy/releases)
- [Changelog](https://github.com/numpy/numpy/blob/main/doc/RELEASE_WALKTHROUGH.rst)
- [Commits](https://github.com/numpy/numpy/compare/v2.2.0...v2.2.6)

---
updated-dependencies:
- dependency-name: numpy
  dependency-version: 2.2.6
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 6a5d8db..1f1d553 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -12,7 +12,7 @@ readme = "README.md"
 
 dependencies = [
   # Dependencies available from both PyPI and conda should be listed here
-  "numpy>=2.2,<3",
+  "numpy>=2.2.6,<3",
   "QtPy",
   "PyQt5",
   "pyqtgraph",

From 14f65b9915d720df9dfa707fd081a0c53b9ad879 Mon Sep 17 00:00:00 2001
From: Chen Zhang <chenzhang8722@gmail.com>
Date: Mon, 20 Apr 2026 16:26:38 -0400
Subject: [PATCH 2/3] Fix CVE-2026-39892 by updating cryptography to >=46.0.7

---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 1f1d553..20626b8 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -113,7 +113,7 @@ brotli = ">=1.2.0"
 urllib3 = ">=2.6.3"          # Known vulnerability in <2.6.3
 filelock = ">=3.20.3"        # Known vulnerability in <3.20.3
 virtualenv = ">=20.36.1,<21" # Known vulnerability in <20.36.1; capped due to https://github.com/pypa/hatch/issues/2193
-cryptography = ">=46.0.5"    # CVE-2026-26007
+cryptography = ">=46.0.7"    # CVE-2026-26007, CVE-2026-39892
 requests = ">=2.33.0"        # CVE-2026-25645
 pillow = ">=12.1.1"          # CVE-2026-25990
 

From 48b51ab0614718d050ac0fcaefc4d30ddd25bf43 Mon Sep 17 00:00:00 2001
From: Chen Zhang <chenzhang8722@gmail.com>
Date: Mon, 20 Apr 2026 16:29:39 -0400
Subject: [PATCH 3/3] Fix CVE-2026-40192 (pillow) and CVE-2025-71176 (pytest)

---
 pyproject.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 20626b8..2fed305 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -115,7 +115,7 @@ filelock = ">=3.20.3"        # Known vulnerability in <3.20.3
 virtualenv = ">=20.36.1,<21" # Known vulnerability in <20.36.1; capped due to https://github.com/pypa/hatch/issues/2193
 cryptography = ">=46.0.7"    # CVE-2026-26007, CVE-2026-39892
 requests = ">=2.33.0"        # CVE-2026-25645
-pillow = ">=12.1.1"          # CVE-2026-25990
+pillow = ">=12.2.0"          # CVE-2026-25990, CVE-2026-40192
 
 [tool.pixi.pypi-dependencies]
 # PyPI dependencies, including this package to allow local editable installs
@@ -154,7 +154,7 @@ default = { features = [
 jupyter = { features = ["developer", "jupyter"], solve-group = "jupyter" }
 
 [tool.pixi.feature.test.dependencies]
-pytest = ">=6.2.4,<9.0.0" # constrained to match pytest-playwright requirements
+pytest = ">=9.0.3"  # CVE-2025-71176 fixed in 9.0.3
 pytest-cov = "*"
 pytest-repeat = "*"
 pytest-xdist = "*"