filthyrake · filthyrake · Jan 18, 2026 · Jan 4, 2026 · Jan 18, 2026 · Jan 18, 2026
diff --git a/.github/workflows/accessibility.yml b/.github/workflows/accessibility.yml
@@ -149,15 +149,15 @@ jobs:
           fuser -k 8888/tcp 2>/dev/null || true
 
       - name: Upload pa11y screenshots
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         if: always()
         with:
           name: pa11y-screenshots
           path: pa11y-screenshots/
           retention-days: 7
 
       - name: Upload Lighthouse report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         if: always()
         with:
           name: lighthouse-report

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -114,9 +114,9 @@ jobs:
           # Ignored vulnerabilities (review quarterly):
           # - PYSEC-2024-87: Jinja2 sandbox escape - not exploitable in our use case (no user templates)
           # - GHSA-34jh-p97f-mpxf: aiohttp CRLF injection - we don't use aiohttp client with untrusted URLs
-          # - GHSA-w853-jp5j-5j7f: filelock race condition - fix version 3.20.1 not yet released (latest: 3.19.1)
-          # Last reviewed: 2025-12-29
-          pip-audit --ignore-vuln PYSEC-2024-87 --ignore-vuln GHSA-34jh-p97f-mpxf --ignore-vuln GHSA-w853-jp5j-5j7f
+          # - GHSA-qmgc-5h2g-mvrw: filelock TOCTOU - fix requires Python 3.10+, container image is patched
+          # Last reviewed: 2026-01-17
+          pip-audit --ignore-vuln PYSEC-2024-87 --ignore-vuln GHSA-34jh-p97f-mpxf --ignore-vuln GHSA-qmgc-5h2g-mvrw
 
   security-summary:
     name: Security Scan Summary

diff --git a/Dockerfile.worker.gpu b/Dockerfile.worker.gpu
@@ -49,6 +49,7 @@ WORKDIR /build
 COPY pyproject.toml ./
 
 # Install Python dependencies to a specific location for copying
+# Note: filelock and jaraco-context are security patches for transitive dependencies
 RUN pip3 install --no-cache-dir --prefix=/install \
     fastapi>=0.100.0 \
     uvicorn>=0.23.0 \
@@ -63,7 +64,9 @@ RUN pip3 install --no-cache-dir --prefix=/install \
     httpx>=0.25.0 \
     watchdog>=3.0.0 \
     slowapi>=0.1.9 \
-    limits>=3.0.0
+    limits>=3.0.0 \
+    "filelock>=3.20.3" \
+    "jaraco-context>=6.1.0"
 
 # Copy source code and install the package
 COPY config.py ./
@@ -92,6 +95,7 @@ RUN dnf install -y \
     ffmpeg \
     ffmpeg-libs \
     curl \
+    && dnf update -y \
     && dnf clean all
 
 # Install Intel VAAPI driver for Arc/Battlemage support

diff --git a/pyproject.toml b/pyproject.toml
@@ -30,6 +30,9 @@ dependencies = [
     "prometheus-client>=0.19.0",  # Prometheus metrics
     "psutil>=5.9.0",  # System resource monitoring for sprite worker
     "argon2-cffi>=23.1.0",  # Secure API key hashing (Issue #445)
+    # Security patches for transitive dependencies
+    # Note: filelock>=3.20.3 fix requires Python 3.10+, pinned in Dockerfile only
+    "jaraco-context>=6.1.0",  # GHSA-58pv-8j8x-9vj2 path traversal vulnerability
 ]
 
 [project.optional-dependencies]

diff --git a/requirements.txt b/requirements.txt
@@ -25,3 +25,7 @@ slowapi>=0.1.9
 
 # System resource monitoring
 psutil>=5.9.0
+
+# Security patches for transitive dependencies
+# Note: filelock>=3.20.3 fix requires Python 3.10+, pinned in Dockerfile only
+jaraco-context>=6.1.0  # GHSA-58pv-8j8x-9vj2 path traversal vulnerability