Merge pull request #830 from microsoft/bugfix/vulnerabilities

fix: dependabot security alerts

Author: Roopan-Microsoft

src/backend/pyproject.toml

@@ -26,13 +26,19 @@ dependencies = [
     "pytest-asyncio==0.24.0",
     "pytest-cov==5.0.0",
     "python-dotenv==1.1.1",
-    "python-multipart==0.0.20",
-    "semantic-kernel==1.39.3",
+    "python-multipart==0.0.22",
+    "semantic-kernel==1.39.4",
     "uvicorn==0.35.0",
     "pylint-pydantic==0.3.5",
     "pexpect==4.9.0",
-    "mcp==1.23.0",
+    "mcp==1.26.0",
     "werkzeug==3.1.5",
     "azure-core==1.38.0",
     "agent-framework>=1.0.0b251105",
+    "urllib3==2.6.3",
+    "protobuf==5.29.6",
+    "cryptography==46.0.5",
+    "aiohttp==3.13.3",
+    "pyasn1==0.6.2",
+    "nltk==3.9.3",
 ]

src/backend/requirements.txt

@@ -14,9 +14,9 @@ opentelemetry-instrumentation-fastapi
 opentelemetry-instrumentation-openai
 opentelemetry-exporter-otlp-proto-http
 
-semantic-kernel[azure]==1.32.2
-azure-ai-projects==1.0.0b11
-openai==1.84.0 
+semantic-kernel[azure]==1.39.4
+azure-ai-projects==1.0.0
+openai==1.105.0 
 azure-ai-inference==1.0.0b9 
 azure-search-documents 
 azure-ai-evaluation

src/backend/uv.lock

@@ -15,7 +15,7 @@
     "@types/node": "^16.18.126",
     "@types/react": "^18.3.23",
     "@types/react-dom": "^18.3.7",
-    "axios": "^1.11.0",
+    "axios": "^1.13.5",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "react-markdown": "^10.1.0",
@@ -68,4 +68,4 @@
     "vite": "^7.1.2",
     "vitest": "^3.2.4"
   }
-}
+}

src/frontend/package-lock.json

@@ -21,10 +21,12 @@ dependencies = [
   "azure-identity==1.19.0",
   "pydantic==2.11.7",
   "pydantic-settings==2.6.1",
-  "python-multipart==0.0.18",
+  "python-multipart==0.0.22",
   "httpx==0.28.1",
   "werkzeug==3.1.5",
   "urllib3==2.6.3",
+  "azure-core==1.38.0",
+  "cryptography==46.0.5",
 ]
 
 [project.optional-dependencies]