fix(deps): add dynaconf >= 3.2.13 (CVE-2026-33154)

[B-Whitt]

Summary

• Remediates CVE-2026-33154: arbitrary code execution via SSTI in dynaconf's @Jinja resolver (CVSS 7.5 HIGH)
• Adds dynaconf as direct dependency (was transitive via django-ansible-base at 3.2.10)

Ref: AAP-69465

Summary by CodeRabbit

• Chores
  • Added the dynaconf dependency (>=3.2.13) to the project dependencies.
  • No other dependency entries, metadata, scripts, or tool configurations were modified in this update.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 5b26612b-a08a-486e-88b4-745650473268

📥 Commits

Reviewing files that changed from the base of the PR and between c6a7d37 and 53d3ecf.

⛔ Files ignored due to path filters (1)

• poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• pyproject.toml

✅ Files skipped from review due to trivial changes (1)

• pyproject.toml

---

📝 Walkthrough

Walkthrough

Added a new dependency entry: dynaconf with version constraint >=3.2.13 to pyproject.toml. No other dependencies, metadata, tool configuration, or scripts were changed.

Changes

Cohort / File(s)	Summary
Dependency Addition pyproject.toml	Added dynaconf >=3.2.13 as a new project dependency.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies a dependency fix for a CVE vulnerability, which is the main change in the PR.
Description check	✅ Passed	The description covers the key aspects: what CVE is being addressed, why it's needed, and what's being changed. It includes a reference to the tracking issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ttuffin]

/run-e2e

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pyproject.toml`:
- Line 46: The project adds dynaconf = ">=3.2.13" in pyproject.toml which
conflicts with the pinned dynaconf ==3.2.12 in the django-ansible-base devel
branch (requirements/requirements_all.txt), preventing resolution; to fix,
coordinate with or update django-ansible-base to relax or bump its dynaconf pin
to >=3.2.13 (or remove the strict ==3.2.12), then re-run dependency resolution
so pyproject.toml's dynaconf >=3.2.13 can be applied; reference the dynaconf
entry in pyproject.toml and the dynaconf pin in
requirements/requirements_all.txt (django-ansible-base) when making the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 191d5ed6-83fa-4f62-96e4-b5320baa0dcb

📥 Commits

Reviewing files that changed from the base of the PR and between bf5aca0 and c6a7d37.

⛔ Files ignored due to path filters (1)

• poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• pyproject.toml

[ptoscano]

/run-e2e

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.93%. Comparing base (af39a9f) to head (53d3ecf).

@@           Coverage Diff           @@
##             main    #1526   +/-   ##
=======================================
  Coverage   91.93%   91.93%           
=======================================
  Files         239      239           
  Lines       10810    10810           
=======================================
  Hits         9938     9938           
  Misses        872      872           

Flag	Coverage Δ
unit-int-tests-3.11	91.93% <ø> (ø)
unit-int-tests-3.12	91.93% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ptoscano]

Successful e2e run: https://github.com/ansible/eda-server/actions/runs/24343812401

Also please check the feedback of coderabbit, in particular what DAB uses/pins, and in case check with the DAB folks too.

[AlexSCorey]

Looks good to me

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud