sec(dep): starlette

chore(Docker): fix

Author: helmut-hoffer-von-ankershoffen

.python-version

@@ -1 +1 @@
-3.13.7
+3.13.9

Dockerfile

@@ -8,7 +8,7 @@ FROM base AS builder
 COPY --from=ghcr.io/astral-sh/uv:0.9.5 /uv /bin/uv
 
 # We use the system interpreter managed by uv
-ENV UV_PYTHON_DOWNLOADS=1
+ENV UV_PYTHON_DOWNLOADS=0
 
 # Enable bytecode compilation
 ENV UV_COMPILE_BYTECODE=1
@@ -125,6 +125,10 @@ FROM target AS all
 # Copy fat app, i.e. with all extras, make it immutable
 COPY --from=builder-all --chown=root:root --chmod=755  /app /app
 
+# Provide writeable .cache folder for python sdk, used for token storage
+RUN mkdir -p /app/.cache
+RUN chmod 777 /app/.cache
+
 # Run as nonroot
 USER app
 WORKDIR /app

noxfile.py

@@ -63,10 +63,10 @@ def _get_test_python_versions() -> list[str]:
     Returns:
         list[str]: List of Python version strings to test against
     """
-    versions = ["3.11.9", "3.12.12", "3.13.7"]
+    versions = ["3.11.9", "3.12.12", PYTHON_VERSION]
     if platform.system() == "Windows" and platform.machine().lower() in {"arm64", "aarch64"}:
-        versions = ["3.13.7"]
-        # Only test with 3.13.7 on Windows ARM due to:
+        versions = [PYTHON_VERSION]
+        # Only test with 3.13.x on Windows ARM due to:
         # 1. Access denied errors when uv >= 0.9.4 tries to recreate venv directories (all Python versions)
         # 2. Instability of Python 3.12.x on Windows ARM platform
     return versions

pyproject.toml

@@ -204,6 +204,7 @@ override-dependencies = [ # https://github.com/astral-sh/uv/issues/4422
     "uv>=0.9.5",                        # CVE-2025-54368
     "jupyterlab>=4.4.9",                # CVE-2025-59842
     "pip>=5.3",                         # CVE-2025-8869  
+    "starlette>=0.49.1",                # GHSA-7f5h-v6xp-fcq8
 ]
 
 [tool.uv.sources]