fix(security): update deps given CVE-2025-50181, CVE-2025-50182

helmut-hoffer-von-ankershoffen · helmut-hoffer-von-ankershoffen · commit 207eb0c45ba5 · 2025-06-19T09:12:17.000+02:00
fix(typer): workaround fastapi/typer#1240 refactor(performance): faster boot style(bucket): button layout
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,12 @@
 [🔬 Aignostics Python SDK](https://aignostics.readthedocs.io/en/latest/)
 
-(https://github.com/aignostics/python-sdk/compare/v0.2.63..0.2.64) - 2025-06-18
+(https://github.com/aignostics/python-sdk/compare/v0.2.64..0.2.65) - 2025-06-19
+
+
+- *(deps)* Bump urllib3 given CVEs CVE-2025-50181 and CVE-2025-50182 - ([f395d9a](https://github.com/aignostics/python-sdk/commit/f395d9a8f9a6a38fd7d5da9c52542a97bc36274b))
+
+
+(https://github.com/aignostics/python-sdk/compare/v0.2.63..v0.2.64) - 2025-06-18
 
 
 - *(bucket)* Allow to select destination in bucket download gui - ([44a6611](https://github.com/aignostics/python-sdk/commit/44a66119bdab63d389f7b4d489e8b0e2a4222977))
diff --git a/CLI_REFERENCE.md b/CLI_REFERENCE.md
@@ -14,7 +14,7 @@ $ aignostics [OPTIONS] COMMAND [ARGS]...
 * `--show-completion`: Show completion for the current shell, to copy it or customize the installation.
 * `--help`: Show this message and exit.
 
-🔬 Aignostics Python SDK v0.2.62 - built with love in Berlin 🐻
+🔬 Aignostics Python SDK v0.2.64 - built with love in Berlin 🐻
 
 **Commands**:
 
@@ -196,7 +196,7 @@ $ aignostics application run execute [OPTIONS] APPLICATION_VERSION_ID METADATA_C
 
 * `--create-subdirectory-for-run / --no-create-subdirectory-for-run`: Create a subdirectory for the results of the run in the destination directory  [default: create-subdirectory-for-run]
 * `--create-subdirectory-per-item / --no-create-subdirectory-per-item`: Create a subdirectory per item in the destination directory  [default: create-subdirectory-per-item]
-* `--upload-prefix TEXT`: Prefix for the upload destination. If not given will be set to current milliseconds.  [default: 1750197829503.505]
+* `--upload-prefix TEXT`: Prefix for the upload destination. If not given will be set to current milliseconds.  [default: 1750311380957.609]
 * `--wait-for-completion / --no-wait-for-completion`: Wait for run completion and download results incrementally  [default: wait-for-completion]
 * `--help`: Show this message and exit.
 
@@ -252,7 +252,7 @@ $ aignostics application run upload [OPTIONS] APPLICATION_VERSION_ID METADATA_CS
 
 **Options**:
 
-* `--upload-prefix TEXT`: Prefix for the upload destination. If not given will be set to current milliseconds.  [default: 1750197829503.5952]
+* `--upload-prefix TEXT`: Prefix for the upload destination. If not given will be set to current milliseconds.  [default: 1750311380957.699]
 * `--help`: Show this message and exit.
 
 #### `aignostics application run submit`
@@ -456,9 +456,6 @@ $ aignostics bucket find [OPTIONS] [WHAT]...
 
 Download objects from bucket in Aignostics platform to local directory.
 
-Raises:
-    typer.Exit: If pattern is invalid regex or no objects found.
-
 **Usage**:
 
 ```console
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.2.64
+0.2.65
diff --git a/aignostics.spec b/aignostics.spec
@@ -70,5 +70,5 @@ app = BUNDLE(
     name='aignostics.app',
     icon='logo.ico',
     bundle_identifier='com.aignostics.launchpad',
-    version='0.2.64'
+    version='0.2.65'
 )
diff --git a/docs/source/conf.py b/docs/source/conf.py
@@ -27,7 +27,7 @@
 project = "aignostics"
 author = "Helmut Hoffer von Ankershoffen"
 copyright = f" (c) 2025-{datetime.now(UTC).year} Aignostics GmbH, Author: {author}"  # noqa: A001
-version = "0.2.64"
+version = "0.2.65"
 release = version
 github_username = "aignostics"
 github_repository = "python-sdk"
diff --git a/examples/notebook.py b/examples/notebook.py
@@ -2,7 +2,7 @@
 # requires-python = ">=3.13"
 # dependencies = [
 #     "marimo",
-#     "aignostics==0.2.64",
+#     "aignostics==0.2.65",
 # ]
 # ///
 
diff --git a/noxfile.py b/noxfile.py
@@ -82,8 +82,12 @@ def audit(session: nox.Session) -> None:
     _setup_venv(session)
 
     # pip-audit to check for vulnerabilities
-    session.run("pip-audit", "-f", "json", "-o", "reports/vulnerabilities.json")
-    _format_json_with_jq(session, "reports/vulnerabilities.json")
+    try:
+        session.run("pip-audit", "-f", "json", "-o", "reports/vulnerabilities.json")
+    except CommandFailed:
+        _format_json_with_jq(session, "reports/vulnerabilities.json")
+        session.log("pip-audit failed with JSON output, retrying with default format")
+        session.run("pip-audit")
 
     # pip-licenses to check for compliance
     pip_licenses_base_args = [
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "aignostics"
-version = "0.2.64"
+version = "0.2.65"
 description = "🔬 Python SDK providing access to the Aignostics Platform. Includes Aignostics Launchpad (Desktop Application), Aignostics CLI (Command-Line Interface), example notebooks, and Aignostics Client Library."
 readme = "README.md"
 authors = [
@@ -75,7 +75,7 @@ requires-python = ">=3.11, <4.0"
 dependencies = [
     # From Template
     "fastapi[standard,all]>=0.115.13",
-    "logfire[system-metrics]>=3.21.0",
+    "logfire[system-metrics]>=3.21.1",
     "nicegui[native]>=2.20.0",
     "opentelemetry-instrumentation-fastapi>=0.53b0",
     "opentelemetry-instrumentation-httpx>=0.53b0",
@@ -94,11 +94,11 @@ dependencies = [
     # Custom
     "appdirs>=1.4.4",
     "auth0-python>=4.10.0",
-    "boto3>=1.38.38",
+    "boto3>=1.38.39",
     "dicom-validator>=0.7.1",
     "dicomweb-client[gcp]>=0.59.2",
     "duckdb>=0.10.0,<=1.4.0",
-    "google-cloud-storage>=2.12.0",
+    "google-cloud-storage>=3.1.1",
     "google-crc32c>=1.7.1",
     "highdicom>=0.25.1",
     "httpx>=0.28.1",
@@ -124,15 +124,15 @@ dependencies = [
     "shapely>=2.1.1",
     "show-in-file-manager>=1.1.5",
     "tqdm>=4.67.1",
-    "urllib3>=2.2.3",
+    "urllib3>=2.5.0",
     "wsidicom>=0.27.1",
 ]
 
 [project.optional-dependencies]
 jupyter = ["jupyter>=1.1.1"]
 marimo = [
     "cloudpathlib>=0.21.1",
-    "marimo>=0.13.15",
+    "marimo>=0.14.0",
     "matplotlib>=3.10.3",
     "shapely>=2.1.0",
 ]
@@ -153,10 +153,10 @@ dev = [
     "pip-licenses @ git+https://github.com/neXenio/pip-licenses.git@master", # https://github.com/raimon49/pip-licenses/pull/224
     "pre-commit>=4.1.0",
     "pyinstaller>=6.14.0",
-    "pyright>=1.1.401",
-    "pytest>=8.4.0",
+    "pyright>=1.1.402",
+    "pytest>=8.4.1",
     "pytest-asyncio>=1.0.0",
-    "pytest-cov>=6.1.1",
+    "pytest-cov>=6.2.1",
     "pytest-docker>=3.2.2",
     "pytest-env>=1.1.5",
     "pytest-md-report>=0.7.0",
@@ -167,7 +167,7 @@ dev = [
     "pytest-timeout>=2.4.0",
     "pytest-watcher>=0.4.3",
     "pytest-xdist[psutil]>=3.7.0",
-    "ruff>=0.11.12",
+    "ruff>=0.12.0",
     "scalene>=1.5.51",
     "sphinx>=8.2.3",
     "sphinx-autobuild>=2024.10.3",
@@ -182,7 +182,7 @@ dev = [
     "swagger-plugin-for-sphinx>=5.1.0",
     "tomli>=2.1.0",
     "types-pyyaml>=6.0.12.20250516",
-    "types-requests>=2.32.0.20250602",
+    "types-requests>=2.32.4.20250611",
     "watchdog>=6.0.0",
 ]
 
@@ -215,6 +215,7 @@ override-dependencies = [ # https://github.com/astral-sh/uv/issues/4422
     "h11>=0.16.0",                      # CVE-2025-43859
     "tornado>=6.5.0",                   # CVE-2025-47287
     "jupyter-core>=5.8.1",              # CVE-2025-30167
+    "urllib3>=2.5.0",                   # CVE-2025-50181, CVE-2025-50182
 ]
 
 [tool.ruff]
@@ -352,7 +353,7 @@ source = ["src/"]
 
 
 [tool.bumpversion]
-current_version = "0.2.64"
+current_version = "0.2.65"
 parse = "(?P<major>\\d+)\\.(?P<minor>\\d+)\\.(?P<patch>\\d+)"
 serialize = ["{major}.{minor}.{patch}"]
 search = "{current_version}"
diff --git a/sonar-project.properties b/sonar-project.properties
@@ -1,6 +1,6 @@
 sonar.projectKey=aignostics_python-sdk
 sonar.organization=aignostics
-sonar.projectVersion=0.2.64
+sonar.projectVersion=0.2.65
 sonar.projectDescription=🔬 Python SDK providing access to Aignostics AI services.
 sonar.links.homepage=https://aignostics.readthedocs.io/en/latest/
 sonar.links.scm=https://github.com/aignostics/python-sdk
diff --git a/src/aignostics/bucket/_gui.py b/src/aignostics/bucket/_gui.py
@@ -299,7 +299,7 @@ async def _select_data() -> None:
                     return
 
                 bucket_form.destination = get_user_data_directory("datasets/idc")
-                bucket_form.destination_label.set_text(f"Download to {bucket_form.destination!s}")
+                bucket_form.destination_label.set_text(f"Will download to {bucket_form.destination!s}")
                 await _update_button_states()
 
             async def _select_destination() -> None:
@@ -323,7 +323,7 @@ async def _select_destination() -> None:
                         )
                     else:
                         bucket_form.destination = path
-                        bucket_form.destination_label.set_text(f"Download to {bucket_form.destination!s}")
+                        bucket_form.destination_label.set_text(f"Will download to {bucket_form.destination!s}")
                         bucket_form.destination_open_button.enable()
                         ui.notify(f"You chose directory {bucket_form.destination}.", type="info")
                 else:
@@ -338,29 +338,44 @@ def _open_destination() -> None:
                 show_in_file_manager(str(bucket_form.destination))
 
             with ui.row().classes("w-full gap-4"):
-                bucket_form.download_button = (
-                    ui.button(
-                        "Download",
-                        icon="download",
-                        on_click=_download_selected,
-                    )
-                    .mark("BUTTON_DOWNLOAD_OBJECTS")
-                    .props("color=primary")
-                    .classes("w-1/5")
-                )
-                bucket_form.download_button.disable()
-
-                with ui.button("Data", on_click=_select_data, icon="folder_special", color="purple-400").mark(
-                    "BUTTON_DOWNLOAD_DESTINATION_DATA"
-                ):
-                    ui.tooltip("Use Launchpad datasets directory")
-
-                with ui.button("Custom", on_click=_select_destination, icon="folder").mark(
-                    "BUTTON_DOWNLOAD_DESTINATION"
-                ):
-                    ui.tooltip("Select a custom directory")
+                with ui.column().classes("w-1/2"):
+                    with ui.row().classes("w-full"):
+                        bucket_form.download_button = (
+                            ui.button(
+                                "Download",
+                                icon="download",
+                                on_click=_download_selected,
+                            )
+                            .mark("BUTTON_DOWNLOAD_OBJECTS")
+                            .props("color=primary")
+                        )
+                        bucket_form.download_button.disable()
+
+                        ui.space()
+
+                        with ui.button("Data", on_click=_select_data, icon="folder_special", color="purple-400").mark(
+                            "BUTTON_DOWNLOAD_DESTINATION_DATA"
+                        ):
+                            ui.tooltip("Use Launchpad datasets directory")
+
+                        with ui.button("Custom", on_click=_select_destination, icon="folder").mark(
+                            "BUTTON_DOWNLOAD_DESTINATION"
+                        ):
+                            ui.tooltip("Select a custom directory")
+                    with ui.row(align_items="center").classes("w-full"):
+                        bucket_form.destination_label = ui.label(
+                            MESSAGE_NO_DOWNLOAD_FOLDER_SELECTED
+                            if bucket_form.destination is None
+                            else str(f"Will download to {bucket_form.destination}")
+                        )
+                        ui.space()
+                        bucket_form.destination_open_button = ui.button(
+                            icon="folder_open", on_click=_open_destination, color="secondary"
+                        )
+                        bucket_form.destination_open_button.mark("BUTTON_OPEN_DESTINATION").disable()
 
                 ui.space()
+
                 bucket_form.delete_button = (
                     ui.button(
                         "Delete",
@@ -373,18 +388,6 @@ def _open_destination() -> None:
                 )
                 bucket_form.delete_button.disable()
 
-            with ui.row(align_items="center").classes("w-2/5"):
-                ui.space()
-                bucket_form.destination_label = ui.label(
-                    MESSAGE_NO_DOWNLOAD_FOLDER_SELECTED
-                    if bucket_form.destination is None
-                    else str(f"Download to {bucket_form.destination}")
-                ).classes("max-w-72")
-                bucket_form.destination_open_button = ui.button(
-                    icon="folder_open", on_click=_open_destination, color="secondary"
-                )
-                bucket_form.destination_open_button.mark("BUTTON_OPEN_DESTINATION").disable()
-
             # Progress card for downloads (initially hidden)
             with ui.card().classes("w-full") as progress_card:
                 bucket_form.download_progress_card = progress_card
diff --git a/src/aignostics/bucket/_service.py b/src/aignostics/bucket/_service.py
@@ -4,14 +4,15 @@
 import re
 from collections.abc import Callable, Generator
 from pathlib import Path
-from typing import Any, cast
+from typing import TYPE_CHECKING, Any, cast
 
 import humanize
 import requests
-from botocore.client import BaseClient, Config
-from botocore.exceptions import ClientError
 from pydantic import BaseModel, computed_field
 
+if TYPE_CHECKING:
+    from botocore.client import BaseClient
+
 from aignostics.utils import UNHIDE_SENSITIVE_INFO, BaseService, Health, get_logger, get_user_data_directory
 
 from ._settings import Settings
@@ -111,7 +112,7 @@ def health(self) -> Health:  # noqa: PLR6301
             components={},
         )
 
-    def _get_s3_client(self, endpoint_url: str = ENDPOINT_URL_DEFAULT) -> BaseClient:
+    def _get_s3_client(self, endpoint_url: str = ENDPOINT_URL_DEFAULT) -> "BaseClient":
         """Get a Boto3 S3 client instance for cloud bucket on Aignostics Platform.
 
         Args:
@@ -121,6 +122,7 @@ def _get_s3_client(self, endpoint_url: str = ENDPOINT_URL_DEFAULT) -> BaseClient
             BaseClient: A Boto3 S3 client instance.
         """
         from boto3 import Session  # noqa: PLC0415
+        from botocore.client import Config  # noqa: PLC0415
 
         # https://www.kmp.tw/post/accessgcsusepythonboto3/
         session = Session(
@@ -599,6 +601,8 @@ def delete(self, what: list[str] | None, what_is_key: bool = False, dry_run: boo
         Raises:
             ValueError: If any provided regex pattern is invalid.
         """
+        from botocore.exceptions import ClientError  # noqa: PLC0415
+
         matched_objects = self.find(what, what_is_key=what_is_key, detail=False)
         object_keys_to_delete = [obj for obj in matched_objects if isinstance(obj, str)]
 
diff --git a/src/aignostics/cli.py b/src/aignostics/cli.py
@@ -7,14 +7,20 @@
 import typer
 
 from .constants import MODULES_TO_INSTRUMENT, NOTEBOOK_DEFAULT
-from .utils import __is_running_in_container__, __version__, boot, console, get_logger, prepare_cli
+from .utils import (
+    __is_running_in_container__,
+    __version__,
+    boot,
+    console,
+    get_logger,
+    prepare_cli,
+)
 
 boot(MODULES_TO_INSTRUMENT)
 logger = get_logger(__name__)
 
 cli = typer.Typer(
     help="Command Line Interface (CLI) of Aignostics Python SDK providing access to Aignostics Platform.",
-    no_args_is_help=True,
 )
 
 if find_spec("nicegui") and find_spec("webview") and not __is_running_in_container__:
@@ -62,6 +68,7 @@ def notebook(
 
 prepare_cli(cli, f"🔬 Aignostics Python SDK v{__version__} - built with love in Berlin 🐻")
 
+
 if __name__ == "__main__":  # pragma: no cover
     try:
         cli()
diff --git a/src/aignostics/gui/_frame.py b/src/aignostics/gui/_frame.py
@@ -8,7 +8,6 @@
 from typing import Any
 
 from humanize import naturaldelta
-from nicegui import app, ui
 
 from aignostics.utils import __version__, open_user_data_directory
 
@@ -42,7 +41,7 @@ def frame(  # noqa: C901, PLR0915
     Yields:
         Generator[Any, Any, Any]: The context manager for the page frame.
     """
-    from nicegui import background_tasks, context, run  # noqa: PLC0415
+    from nicegui import app, background_tasks, context, run, ui  # noqa: PLC0415
 
     from aignostics.platform import Service as PlatformService  # noqa: PLC0415
     from aignostics.platform import UserInfo  # noqa: PLC0415
diff --git a/src/aignostics/platform/_authentication.py b/src/aignostics/platform/_authentication.py
diff --git a/src/aignostics/utils/_cli.py b/src/aignostics/utils/_cli.py
diff --git a/src/aignostics/wsi/_gui.py b/src/aignostics/wsi/_gui.py
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -70,5 +70,5 @@ app = BUNDLE(`
`70`	`70`	`name='aignostics.app',`
`71`	`71`	`icon='logo.ico',`
`72`	`72`	`bundle_identifier='com.aignostics.launchpad',`
`73`		`- version='0.2.64'`
	`73`	`+ version='0.2.65'`
`74`	`74`	`)`