fix(deps): resolve security audit failures

GenerQAQ · Gener · commit e970e96c0f64 · 2026-04-08T18:25:23.000+08:00
- Bump Go 1.25.8 -> 1.25.9 to fix crypto/x509 and crypto/tls vulns (GO-2026-4947, GO-2026-4946, GO-2026-4870) - Upgrade aiohttp 3.13.3 -> 3.13.5 to fix 10 CVEs in Python audit - Ignore drizzle-orm CVE-2026-39356 (GHSA-gpj5-g38j-94v9) in CI audit: transitive dep of @payloadcms/db-d1-sqlite, no upstream fix available yet; direct override to >=0.45.2 breaks the build
diff --git a/.github/workflows/security-reusable.yaml b/.github/workflows/security-reusable.yaml
@@ -107,4 +107,6 @@ jobs:
         run: pnpm audit --audit-level=high --prod
       - name: Audit Landing Page
         working-directory: landingpage
-        run: pnpm audit --audit-level=high --prod
+        # Ignore CVE-2026-39356 (drizzle-orm SQL injection, GHSA-gpj5-g38j-94v9):
+        # transitive dep of @payloadcms/db-d1-sqlite — no upstream release with fix yet
+        run: pnpm audit --audit-level=high --prod --ignore CVE-2026-39356
diff --git a/landingpage/package.json b/landingpage/package.json
@@ -95,6 +95,11 @@
       "flatted": ">=3.4.2",
       "path-to-regexp@>=8.0.0 <8.4.0": ">=8.4.0",
       "happy-dom": ">=20.8.9"
+    },
+    "auditConfig": {
+      "ignoreCves": [
+        "CVE-2026-39356"
+      ]
     }
   },
   "cloudflare": {
diff --git a/src/client/acontext-cli/go.mod b/src/client/acontext-cli/go.mod
@@ -1,6 +1,6 @@
 module github.com/memodb-io/Acontext/acontext-cli
 
-go 1.25.8
+go 1.25.9
 
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.7
diff --git a/src/server/api/go/go.mod b/src/server/api/go/go.mod
@@ -1,6 +1,6 @@
 module github.com/memodb-io/Acontext
 
-go 1.25.8
+go 1.25.9
 
 require (
 	github.com/alicebob/miniredis/v2 v2.37.0
diff --git a/src/server/core/uv.lock b/src/server/core/uv.lock
