fix: force aiohttp>=3.14.0 for GHSA-jg22-mg44-37j8, GHSA-hg6j-4rv6-33pg

[greysonlalonde]

What

Force aiohttp>=3.14.0 via [tool.uv] override-dependencies to remediate two advisories flagged by pip-audit:

• GHSA-jg22-mg44-37j8
• GHSA-hg6j-4rv6-33pg

aiohttp is a transitive dependency; the lock previously resolved it to 3.13.4.

Why a per-package exclude-newer

The repo enforces exclude-newer = "3 days". aiohttp 3.14.0 was published 2026-06-01, inside that window, so a normal uv lock could not select it. Added a tight exclude-newer-package = { aiohttp = "2026-06-02T00:00:00Z" } so only 3.14.0 (and nothing newer) becomes eligible, consistent with the existing security-override convention in [tool.uv].

Other pip-audit findings (not in this PR)

• pyjwt (4 advisories) and uv (1) are already remediated — the lock pins 2.13.0 and 0.11.17. Local environments just need uv sync.
• chromadb 1.1.1 (GHSA-f4j7-r4q5-qw2c) has no published fix version yet; left as-is.

Verification

• uv lock updates only aiohttp 3.13.4 -> 3.14.0; no other package versions change.
• Pre-commit uv-lock consistency check passes.

---

Note

Low Risk
Dependency-only security bump with no application code changes; minor risk from aiohttp minor-version upgrade in transitive HTTP stacks.

Overview
Remediates two pip-audit advisories on transitive aiohttp by pinning aiohttp>=3.14.0 in [tool.uv] override-dependencies and refreshing uv.lock (3.13.4 → 3.14.0).

Because the repo’s exclude-newer = "3 days" would block 3.14.0 (released 2026-06-01), the PR adds a narrow exclude-newer-package entry for aiohttp so the override can resolve without widening the global freshness policy.

^{Reviewed by Cursor Bugbot for commit 591db52. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• Chores
  • Updated dependency version constraints to ensure aiohttp compatibility and enforce security requirements. Improved dependency resolution configuration for better stability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: c78c08c9-e8d4-41b3-b62a-611581ea67c8

📥 Commits

Reviewing files that changed from the base of the PR and between aed6923 and 591db52.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• pyproject.toml

---

📝 Walkthrough

Walkthrough

This PR updates the pyproject.toml UV package manager configuration to enforce a minimum aiohttp>=3.14.0 version by combining a package-specific exclude-newer-package override with an explicit override-dependencies constraint, plus supporting vulnerability documentation.

Changes

aiohttp Security Version Floor Enforcement

Layer / File(s)	Summary
aiohttp version and vulnerability constraints pyproject.toml	Comment documents the aiohttp <3.14.0 vulnerability context; exclude-newer-package override allows aiohttp to bypass the exclude-newer time window; override-dependencies adds explicit aiohttp>=3.14.0 entry to enforce minimum version floor during transitive resolution.

🎯 2 (Simple) | ⏱️ ~5 minutes

Suggested labels

size/S

Suggested reviewers

• renatonitta
• heitorado

Poem

🐰 A patch to pin the aiohttp floor,
Three config lines to guard before,
Version walls that hold secure,
Vulnerabilities to endure!
Safety anchored, safe and sound,
No weak versions will be found. 🔒

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: forcing aiohttp>=3.14.0 to fix two security vulnerabilities (GHSA-jg22-mg44-37j8 and GHSA-hg6j-4rv6-33pg), which directly matches the PR's primary objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/aiohttp-cve-3.14.0

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}