Stability checkpoint — CVE sweep (11 vulnerable deps to patched) + freshness - fix(deps): CVE sweep — bump vulnerable deps to patched versions - chore(deps): freshness sweep — safe pins bumped, majors held - docs(tasks): alpine image blocker re-checked — now onnxruntime only CI : - OK Main pipeline #356 green — https://gitlab.com/iris-7/iris-service-python/-/pipelines/2665195623 Covers unit-tests, integration-tests (testcontainers pg / redis / kafka), pip-audit, ruff:lint, mypy, import-linter, docs:check, docker-build. - OK Pre-merge MR !86 pipeline #354 green — https://gitlab.com/iris-7/iris-service-python/-/merge_requests/86 - OK pip-audit : 0 known vulnerabilities (was 11 packages flagged before the sweep). Local test pass : - OK uv run pytest — 385 passed, 31 deselected, coverage 92.71% (gate 90%). - OK uv run pip-audit — "No known vulnerabilities found". - SKIP uv run ruff / mypy — N/A locally : both ran green in main pipeline #356 ; a deps-only change does not touch source. Regression check vs stable-py-v0.7.8 : - OK Alpine image blocker still bounded — now onnxruntime-only (no musllinux wheel upstream), documented in TASKS.md. Not regressed. - ML extra deps bumped : torch 2.11.0 -> 2.13.0, onnx 1.21.0 -> 1.22.0, mlflow 3.11.1 -> 3.14.0. Inference path covered by unit tests (ml/ package green). - 11 CVE closed via forced bumps (pip-audit gate, no allow_failure) : - aiohttp 3.13.5 -> 3.14.1 (CVE-2026-54274/76/77/78/80, -50269) - starlette 1.0.0 -> 1.3.1 (PYSEC-2026-161/248/249, CVE-2026-48817/18) - cryptography 46.0.7 -> 48.0.1 (GHSA-537c-gmf6-5ccf) - python-multipart 0.0.27 -> 0.0.32 (CVE-2026-53538/39/40) - pyjwt 2.12.1 -> 2.13.0 (PYSEC-2026-175..179) - idna 3.13 -> 3.18 (PYSEC-2026-215) - msgpack 1.1.2 -> 1.2.1 (GHSA-6v7p-g79w-8964) - onnx 1.21.0 -> 1.22.0 (CVE-2026-44512) - pymdown-extensions 10.21.2 -> 11.0.1 (CVE-2026-46338) - torch 2.11.0 -> 2.13.0 (CVE-2025-3000) - pip 26.1 -> 26.1.2 (PYSEC-2026-196) pip-audit back to 0 known vulnerabilities. - SKIP N/A — no domain / endpoint change ; deps maintenance only. - SKIP N/A — no infra change ; docker-build green on main. - SKIP N/A — no observability change this rev. - 385 unit tests green, 92.71% coverage. The starlette 1.0 -> 1.3.1 jump (FastAPI's ASGI core) validated by the full suite + integration tests — no API break. - pip-audit (no allow_failure) forced the bump ; main pipeline back to green. benchmarks job (allow_failure: true, informational) unchanged. - SKIP N/A — no architectural / ADR change. - SKIP N/A — backend repo. - cryptography 46 -> 48 unblocked by lifting the mlflow 3.11.1 cap to 3.14.0. - pip constrained to >=26.1.2 in the dev extra so pip-audit stops flagging its own transitive dependency (pip -> pip-api -> pip-audit). - Alpine base image (412 MB) blocked : onnxruntime ships no musllinux wheel (MS has no musl CI). Bookworm stays. Tracked in TASKS.md. - pyproject `onnxscript[ml]>=0.7.0` references a non-existent extra (uv warning "package onnxscript==0.7.0 does not have an extra named 'ml'"). Cosmetic ; drop the [ml] qualifier next touch. - Clean up the onnxscript[ml] extra qualifier. - Revisit alpine base image when onnxruntime ships musllinux wheels.