warpdotdev · tylerlam-warp · Jun 24, 2026
diff --git a/pyproject.toml b/pyproject.toml
@@ -46,11 +46,9 @@ aiohttp = ["aiohttp>=3.13.5", "httpx_aiohttp>=0.1.9"]
 [tool.uv]
 managed = true
 required-version = ">=0.9"
-# Security pin: idna is a transitive dependency (via httpx + anyio) and is not
-# declared above. Versions <3.15 are vulnerable to CVE-2026-45409
-# (GHSA-65pc-fj4g-8rjx), so constrain it without adding it as a direct
-# dependency. Sealed as custom code so it survives SDK regeneration.
-constraint-dependencies = ["idna>=3.15"]
+# Security pins for undeclared transitive deps, kept here so they survive SDK
+# regeneration: idna>=3.15 (CVE-2026-45409), pygments>=2.20.0 (CVE-2026-4539).
+constraint-dependencies = ["idna>=3.15", "pygments>=2.20.0"]
 conflicts = [
     [
       { group = "pydantic-v1" },

diff --git a/requirements-dev.lock b/requirements-dev.lock
@@ -32,7 +32,7 @@ httpx==0.28.1
     # via
     #   oz-agent-sdk
     #   respx
-idna==3.11
+idna==3.18
     # via
     #   anyio
     #   httpx
@@ -62,7 +62,7 @@ pydantic==2.12.5
     # via oz-agent-sdk
 pydantic-core==2.41.5
     # via pydantic
-pygments==2.19.2
+pygments==2.20.0
     # via
     #   pytest
     #   rich

diff --git a/uv.lock b/uv.lock