From c1450f42110abd79012e62daba1cd0bf11189bce Mon Sep 17 00:00:00 2001
From: Simon Strandgaard <neoneye@gmail.com>
Date: Fri, 26 Jun 2026 13:49:10 +0200
Subject: [PATCH] chore(deps): bump worker_plan deps to patch security alerts

Resolves Dependabot security alerts in worker_plan/pyproject.toml by bumping to the first stable patched release of each package:

- aiohttp 3.13.5 -> 3.14.1 (alerts #152,#153,#156-#164)
- tornado 6.5.4 -> 6.5.7 (alerts #113,#114,#136,#155,#165,#166,#171)
- python-multipart 0.0.22 -> 0.0.32 (alerts #142,#149,#167-#170)
- urllib3 2.6.3 -> 2.7.0 (alerts #150,#151)
- marshmallow 3.24.2 -> 3.26.2 (alert #81), staying on 3.x to avoid the breaking 4.x major

transformers alert #137 is excluded: its only fix is the 5.x major line and the vulnerable Trainer class is never imported by PlanExe (handled separately).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 worker_plan/pyproject.toml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/worker_plan/pyproject.toml b/worker_plan/pyproject.toml
index a5be1435..f9380e0c 100644
--- a/worker_plan/pyproject.toml
+++ b/worker_plan/pyproject.toml
@@ -9,7 +9,7 @@ requires-python = ">=3.13"
 dependencies = [
     "aiofiles==25.1.0",
     "aiohappyeyeballs==2.6.2",
-    "aiohttp==3.13.5",
+    "aiohttp==3.14.1",
     "aiosignal==1.4.0",
     "annotated-types==0.7.0",
     "anyio==4.14.0",
@@ -65,7 +65,7 @@ dependencies = [
     "Markdown==3.10.2",
     "markdown-it-py==4.2.0",
     "MarkupSafe==3.0.3",
-    "marshmallow==3.24.2",
+    "marshmallow==3.26.2",
     "mdurl==0.1.2",
     # "mistralai==1.5.2",
     "multidict==6.7.1",
@@ -87,7 +87,7 @@ dependencies = [
     "python-daemon==3.1.2",
     "python-dateutil==2.9.0.post0",
     "python-dotenv==1.2.2",
-    "python-multipart==0.0.22",
+    "python-multipart==0.0.32",
     "pytz==2026.1.post1",
     "PyYAML==6.0.3",
     "regex==2026.4.4",
@@ -105,14 +105,14 @@ dependencies = [
     "tenacity==9.1.4",
     "tiktoken==0.13.0",
     "tokenizers==0.22.1",
-    "tornado==6.5.4",
+    "tornado==6.5.7",
     "tqdm==4.67.1",
     "transformers==4.57.3",
     "typer==0.24.1",
     "typing-inspect==0.9.0",
     "typing_extensions==4.15.0",
     "tzdata==2026.2",
-    "urllib3==2.6.3",
+    "urllib3==2.7.0",
     "uvicorn==0.40.0",
     "websockets==16.0",
     "wrapt==2.2.1",