[pre-commit.ci] pre-commit autoupdate

[pre-commit-ci]

updates:

• github.com/astral-sh/uv-pre-commit: 0.11.16 → 0.11.23
• github.com/astral-sh/ruff-pre-commit: v0.15.14 → v0.15.18

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
chromadb	1.0.20	CVE-2026-45829 / GHSA-f4j7-r4q5-qw2c	No fix available on PyPI (affects 1.0.0–1.5.9, latest is 1.5.9)

Why this cannot be auto-fixed

The vulnerability exists in chromadb itself. The OSV advisory confirms all versions from 1.0.0 through 1.5.9 (the current latest) are affected, and fixed_in is empty — no patched release has been published to PyPI. A fix requires the upstream chromadb maintainers to release a new version.

Recommended next steps

1. Monitor the vulnerability advisory (GHSA-f4j7-r4q5-qw2c) for a patch release
2. Check if a pip-audit ignore/exception can be added temporarily with justification (requires human review)
3. Consider whether this dependency can be replaced with an alternative

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Fix Versions	Status
chromadb	1.0.20	CVE-2026-45829	None	No fix available on PyPI

Why this cannot be auto-fixed

CVE-2026-45829 is a pre-authentication code injection vulnerability in chromadb that affects all versions from 1.0.0 through 1.5.9 (the current latest release). The OSV advisory confirms last_affected: 1.5.9 with no fixed event — meaning the upstream maintainers have not yet released a patched version.

A fix requires the chromadb maintainers to release a new version that addresses this vulnerability. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

Recommended next steps

1. Monitor the CVE-2026-45829 / GHSA-f4j7-r4q5-qw2c advisory for a patch release from the chromadb project
2. Check if a pip-audit ignore/exception can be added temporarily with justification (requires human review)
3. Consider whether this dependency can be replaced with an alternative vector database client

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
chromadb	1.0.20	CVE-2026-45829 (GHSA-f4j7-r4q5-qw2c)	No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability exists in chromadb itself. CVE-2026-45829 describes a pre-authentication code injection vulnerability affecting chromadb 1.0.0 or later. Despite newer versions being available on PyPI (latest: 1.5.9), none are listed as patched by the PyPI vulnerability advisory (fixed_in: []).

A fix requires the upstream chromadb maintainers to release a version that addresses this CVE and register it with the PyPI vulnerability database. Once a patched release is published, aieng-bot can re-run and apply the update automatically.

Recommended next steps

1. Monitor the GHSA-f4j7-r4q5-qw2c advisory for a patch release
2. Check if a pip-audit ignore/exception can be added temporarily with justification (requires human review)
3. Consider whether this dependency can be replaced with an alternative

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
chromadb	1.0.20	CVE-2026-45829	No fix available on PyPI (affects all versions 1.0.0–1.5.9)

Why this cannot be auto-fixed

The vulnerability exists in chromadb itself. The OSV advisory (GHSA-f4j7-r4q5-qw2c) reports that all versions from 1.0.0 through 1.5.9 (latest) are affected, with no fixed release listed. A fix requires the upstream maintainers to release a new version. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

Vulnerability details: A pre-authentication code injection vulnerability in ChromaDB 1.0.0+ allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository with trust_remote_code=true via the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.

Recommended next steps

1. Monitor the chromadb vulnerability advisory for a patch release
2. Consider whether a pip-audit ignore/exception can be added temporarily with justification (requires human review)
3. Consider whether this dependency can be replaced with an alternative

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
chromadb	1.0.20	CVE-2026-45829 (GHSA-f4j7-r4q5-qw2c)	No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability is a critical pre-authentication code injection flaw (CWE-94) that affects ChromaDB versions 1.0.0 through 1.5.9 (the current latest release). The OSV advisory uses last_affected: 1.5.9 with no fixed event, confirming no patched release exists on PyPI.

The vulnerability allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository with trust_remote_code=true via the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.

Why this cannot be auto-fixed

A fix requires the upstream ChromaDB maintainers to release a new version. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

Recommended next steps

1. Monitor CVE-2026-45829 / GHSA-f4j7-r4q5-qw2c for a patch release from ChromaDB
2. Check the ChromaDB issue #6717 for upstream progress
3. Consider whether a pip-audit ignore/exception can be added temporarily with justification (requires human review)
4. Consider whether this dependency can be replaced with an alternative

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
chromadb	1.0.20	CVE-2026-45829 / GHSA-f4j7-r4q5-qw2c	No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability exists in chromadb itself. According to the OSV advisory (GHSA-f4j7-r4q5-qw2c), all versions from 1.0.0 through 1.5.9 (the current latest) are affected — there is no fixed release event. The CVE describes a pre-authentication, code injection vulnerability where an unauthenticated attacker can run arbitrary code by sending a malicious model repository with trust_remote_code=true.

A fix requires the upstream chromadb maintainers to release a new version. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

Recommended next steps

1. Monitor the vulnerability advisory (GHSA-f4j7-r4q5-qw2c) for a patch release
2. Check if a pip-audit ignore/exception can be added temporarily with justification (requires human review)
3. Consider whether this dependency can be replaced with an alternative

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
chromadb	1.0.20	CVE-2026-45829 / GHSA-f4j7-r4q5-qw2c	No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability is a pre-authentication code injection vulnerability (CVSS 4.0: Critical) affecting chromadb versions 1.0.0 through 1.5.9 (all versions on PyPI). The OSV advisory lists last_affected: 1.5.9 — meaning no patched release exists yet.

A fix requires the upstream maintainers at chroma-core/chroma to release a new version. See issue #6717 for tracking.

Recommended next steps

1. Monitor the GHSA-f4j7-r4q5-qw2c advisory for a patch release
2. Check if a pip-audit ignore exception can be added temporarily with justification (requires human review)
3. Consider whether the trust_remote_code feature is used in this project — if not, the risk may be lower in practice
4. Consider whether chromadb can be replaced with an alternative

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
chromadb	1.0.20	CVE-2026-45829	No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability affects chromadb v1.0.0 and later (pre-authentication code injection via the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint when trust_remote_code=true). pip-audit reports no fixed version in the PyPI advisory database at this time. A fix requires the upstream chromadb maintainers to release a patched version.

What was auto-fixed in this run

• ✅ pip bumped from 26.1 → 26.1.2 to fix PYSEC-2026-196

Recommended next steps

1. Monitor CVE-2026-45829 for an upstream patch release
2. Once a patched chromadb version is published to PyPI, aieng-bot can re-run and apply the update
3. Consider whether a pip-audit ignore exception can be added temporarily with justification (requires human review)

This PR will not be auto-merged until the chromadb vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
chromadb	1.0.20	CVE-2026-45829 / GHSA-f4j7-r4q5-qw2c	No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability exists in chromadb itself. According to the PyPI OSV advisory, fixed_in: [] — meaning no version of chromadb currently fixes this CVE, including the latest release (1.5.9). The advisory describes a pre-authentication code injection vulnerability affecting chromadb 1.0.0 and later when trust_remote_code=True is set.

A fix requires the upstream chromadb maintainers to release a patched version. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

Recommended next steps

1. Monitor the GHSA-f4j7-r4q5-qw2c advisory for a patch release
2. Check if a pip-audit ignore/exception can be added temporarily with justification (requires human review)
3. Consider whether this dependency can be replaced with an alternative

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
chromadb	1.0.20	CVE-2026-45829 / GHSA-f4j7-r4q5-qw2c	No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability CVE-2026-45829 (GHSA-f4j7-r4q5-qw2c) is a pre-authentication code injection vulnerability in ChromaDB that allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository with trust_remote_code=true. According to the OSV advisory, this affects all versions from 1.0.0 through 1.5.9 (the current latest), with fixed_in: [] — meaning the upstream maintainers have not yet released a patched version.

Bumping to the latest version (1.5.9) would not resolve the vulnerability — it remains present in all currently published releases.

Recommended next steps

1. Monitor the GHSA-f4j7-r4q5-qw2c advisory for a patch release
2. Check if a pip-audit ignore/exception can be added temporarily with justification (requires human review)
3. Consider whether this dependency can be replaced with an alternative
4. Review whether the trust_remote_code feature is actually used in this project — if not, the attack surface may be limited

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
chromadb	1.0.20	CVE-2026-45829 / GHSA-f4j7-r4q5-qw2c	No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability exists in chromadb itself. A pre-authentication code injection vulnerability (CVE-2026-45829) affects chromadb version 1.0.0 and later. The PyPI vulnerability database confirms fixed_in: [] — no patched release has been published yet.

A fix requires the upstream maintainers to release a new version. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

Recommended next steps

1. Monitor the vulnerability advisory (GHSA-f4j7-r4q5-qw2c) for a patch release
2. Check if a pip-audit ignore/exception can be added temporarily with justification (requires human review)
3. Consider whether this dependency can be replaced with an alternative

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
chromadb	1.0.20	CVE-2026-45829 / GHSA-f4j7-r4q5-qw2c	No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability exists in chromadb itself. According to the OSV advisory, all versions from 1.0.0 through 1.5.9 (the current latest) are affected, with no fixed release published yet:

A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.

Bumping to any newer chromadb version does not resolve the issue — the upstream maintainers must release a patched version.

Recommended next steps

1. Monitor the GHSA-f4j7-r4q5-qw2c advisory for a patch release
2. Consider whether trust_remote_code is used in this project (if not, the practical risk may be lower)
3. If a temporary exception is appropriate, a human reviewer can add GHSA-f4j7-r4q5-qw2c to the ignore-vulns list in the pip-audit workflow with documented justification

This PR will not be auto-merged until the vulnerability is resolved upstream.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
chromadb	1.0.20	CVE-2026-45829 (GHSA-f4j7-r4q5-qw2c)	No fix available on PyPI (latest 1.5.9 is also affected)

Why this cannot be auto-fixed

The vulnerability is a pre-authentication code injection flaw affecting chromadb 1.0.0 and later. According to the OSV advisory, all versions up to and including the latest release (1.5.9) are affected. A fix requires the upstream chromadb maintainers to release a patched version.

Recommended next steps

1. Monitor the GHSA-f4j7-r4q5-qw2c advisory for a patch release
2. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically
3. Consider whether a pip-audit ignore/exception can be added temporarily with justification (requires human review)
4. Evaluate whether chromadb usage should be restricted to authenticated contexts as a mitigating control

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
chromadb	1.0.20	CVE-2026-45829	No fix available on PyPI

Why this cannot be auto-fixed

The vulnerability exists in chromadb itself. A fix requires the upstream maintainers to release a new version. Bumping to the latest available version (1.5.9) was tested locally — pip-audit still flags CVE-2026-45829 on 1.5.9, confirming no patched release exists in the PyPI vulnerability database yet.

The CVE describes a pre-authentication code injection vulnerability that requires trust_remote_code=True to be set in a specific API endpoint. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

Recommended next steps

1. Monitor the ChromaDB vulnerability advisory for a patch release
2. Consider whether a pip-audit ignore/exception can be added temporarily with justification (requires human review)
3. Consider whether this dependency can be replaced with an alternative

This PR will not be auto-merged until the vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
chromadb	1.0.20	CVE-2026-45829	No fix available on PyPI (last_affected: 1.5.9 — all versions affected)

Why this cannot be auto-fixed

CVE-2026-45829 is a pre-authentication code injection vulnerability in chromadb ≥ 1.0.0. According to the OSV advisory, all versions from 1.0.0 through 1.5.9 (the current latest) are affected and there is no fixed version entry. A fix requires the upstream chromadb maintainers to release a patched version. Once a patched release is published to PyPI, aieng-bot can re-run and apply the update automatically.

What was fixed automatically

• ✅ pip 26.1 → pip>=26.1.2 to resolve PYSEC-2026-196

Recommended next steps

1. Monitor the CVE-2026-45829 advisory for a patch release from the chromadb maintainers
2. Check if a pip-audit ignore/exception can be added temporarily with justification (requires human review)
3. Consider whether chromadb can be replaced with an alternative, or if usage of trust_remote_code=True can be disabled

This PR will not be auto-merged until the chromadb vulnerability is resolved.

[amrit110]

Security Vulnerability — No Patch Available Yet (Updated)

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version has been released to PyPI yet:

Package	Version	Vulnerability	Status
chromadb	1.0.20	CVE-2026-45829	No fix available on PyPI (last_affected: 1.5.9 — all versions affected)

Why this cannot be auto-fixed

CVE-2026-45829 is a pre-authentication code injection vulnerability in chromadb ≥ 1.0.0. According to the OSV advisory, all versions from 1.0.0 through 1.5.9 (the current latest) are affected and there is no fixed version entry. A fix requires the upstream chromadb maintainers to release a patched version.

What was fixed automatically

• ✅ pip 26.1 → pip>=26.1.2 — fixes PYSEC-2026-196
• ✅ starlette 1.1.0 → starlette>=1.3.1 — fixes CVE-2026-54282 and CVE-2026-54283

Recommended next steps

1. Monitor the CVE-2026-45829 advisory for a patch release from the chromadb maintainers
2. Check if a pip-audit ignore/exception can be added temporarily with justification (requires human review)
3. Consider whether chromadb can be replaced with an alternative

This PR will not be auto-merged until the chromadb vulnerability is resolved.