From 741f601698e12daa9a2179b3afbfebb871a3226b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Pasternak?= <michal.dtz@gmail.com>
Date: Thu, 18 Jun 2026 21:51:24 +0200
Subject: [PATCH 1/2] build(deps): bump django-denorm-iplweb 1.12.1 -> 1.12.2

Patch release of the denormalization library. Dependency metadata is
identical to 1.12.1 (Django>=5.2, celery, celery-singleton, tqdm;
requires-python >=3.10), so this is a low-risk, no-transitive-change
bump.

Validated locally against the denorm-backed test surface:
- src/bpp/tests/test_cache/ (materialized cache via DB triggers):
  74 passed, 1 skipped
- test_autor_dyscyplina + ewaluacja_optymalizacja discipline pins:
  22 passed

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 pyproject.toml | 2 +-
 uv.lock        | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 366ffdfdf..7eb3247ee 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -35,7 +35,7 @@ dependencies = [
     "arrow>=1.3,<2",
     "numpy>=2.4.6",
     "pygad>=3.7.0",
-    "django-denorm-iplweb>=1.12.1",
+    "django-denorm-iplweb>=1.12.2",
     "django-tabular-permissions==2.9.3",
     "simplejson>=4.1.1,<5",
     "django-reversion>=6.2.0,<7",
diff --git a/uv.lock b/uv.lock
index 01747b49d..9e5781c6a 100644
--- a/uv.lock
+++ b/uv.lock
@@ -571,7 +571,7 @@ requires-dist = [
     { name = "django-countdown", specifier = ">=0.2.0" },
     { name = "django-crispy-forms", specifier = ">=2.6,<3" },
     { name = "django-dbtemplates-iplweb", specifier = ">=4.3.2" },
-    { name = "django-denorm-iplweb", specifier = ">=1.12.1" },
+    { name = "django-denorm-iplweb", specifier = ">=1.12.2" },
     { name = "django-dirtyfields", specifier = "==1.9.9" },
     { name = "django-dsl", specifier = ">=0.1.14" },
     { name = "django-dynamic-admin-columns", specifier = ">=0.5.0" },
@@ -1696,7 +1696,7 @@ wheels = [
 
 [[package]]
 name = "django-denorm-iplweb"
-version = "1.12.1"
+version = "1.12.2"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "celery", marker = "platform_python_implementation != 'PyPy'" },
@@ -1704,9 +1704,9 @@ dependencies = [
     { name = "django", marker = "platform_python_implementation != 'PyPy'" },
     { name = "tqdm", marker = "platform_python_implementation != 'PyPy'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/23/25/7599dbd6230198616ca954b04dd0de55293af25817a7403f81d538509e5f/django_denorm_iplweb-1.12.1.tar.gz", hash = "sha256:bfce41d5e31ce09e1c0fff2f0296ac3b3e1d65cad21517e18f0ef6f991d3ee1d", size = 131977, upload-time = "2026-06-13T18:14:27.189Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/d9/2c/172efaa431f4e899d46d1d459bdd2e04b0fb80276a5031a7fd86fa8daf8d/django_denorm_iplweb-1.12.2.tar.gz", hash = "sha256:5ff32ec58a2f183e0ba969370c83062bd2d39e539f043083fb808e761a06c285", size = 97341, upload-time = "2026-06-18T19:42:28.144Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/b6/e7/525825fe22d1d93e263c5cdc3498a8b571c3b067d5146a27f8d16d80e1d9/django_denorm_iplweb-1.12.1-py3-none-any.whl", hash = "sha256:62e77b5977effa77def6180854b3a552ed5a699adb35b5b03ce8774d181a7bb7", size = 69228, upload-time = "2026-06-13T18:14:25.742Z" },
+    { url = "https://files.pythonhosted.org/packages/fd/87/f4e9e2a2ff22235d0589b73f46ccf9bc96f3baac490ede52fdc3b37a6e41/django_denorm_iplweb-1.12.2-py3-none-any.whl", hash = "sha256:3f6335e7b72f5a4dafebdd829ae6b76c828a43cd31ac9e197d67c197f2600d82", size = 78842, upload-time = "2026-06-18T19:42:26.754Z" },
 ]
 
 [[package]]

From d6f1d74393c7cfb0819c291707b15b6fcc583dfe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Pasternak?= <michal.dtz@gmail.com>
Date: Thu, 18 Jun 2026 22:09:10 +0200
Subject: [PATCH 2/2] build(deps): bump pypdf security floor 6.13.0 -> 6.13.3

pip-audit flagged pypdf 6.13.2 (GHSA-jm82-fx9c-mx94, fixed in 6.13.3).
pypdf is a transitive dep (via xhtml2pdf) constrained through
constraint-dependencies; raise the security floor so future `uv lock`
cannot regress below the patched version, and record the advisory in
the audit comment alongside the existing CVEs.

Verified: `uv export --no-dev | pip-audit` (same invocation as the
dependency-audit.yml gate) reports "No known vulnerabilities found".

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 pyproject.toml | 6 +++---
 uv.lock        | 8 ++++----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index 7eb3247ee..fce990aba 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -236,13 +236,13 @@ environments = ["python_version >= '3.10' and python_version < '3.15' and platfo
 #                     GHSA-gj48-438w-jh9v
 #   daphne  >=4.2.2  (via channels[daphne])         - PYSEC-2026-213,
 #                     PYSEC-2026-214
-#   pypdf   >=6.13.0 (via xhtml2pdf)                 - CVE-2026-48735,
+#   pypdf   >=6.13.3 (via xhtml2pdf)                 - CVE-2026-48735,
 #                     CVE-2026-49460, CVE-2026-49461, CVE-2026-54530,
-#                     CVE-2026-54531
+#                     CVE-2026-54531, GHSA-jm82-fx9c-mx94
 constraint-dependencies = [
     "bleach>=6.4.0",
     "daphne>=4.2.2",
-    "pypdf>=6.13.0",
+    "pypdf>=6.13.3",
 ]
 
 # Polityka: KAZDA NOWA zewnetrzna zaleznosc powinna miec prebuilt wheel dla
diff --git a/uv.lock b/uv.lock
index 9e5781c6a..b3d475f65 100644
--- a/uv.lock
+++ b/uv.lock
@@ -23,7 +23,7 @@ supported-markers = [
 constraints = [
     { name = "bleach", specifier = ">=6.4.0" },
     { name = "daphne", specifier = ">=4.2.2" },
-    { name = "pypdf", specifier = ">=6.13.0" },
+    { name = "pypdf", specifier = ">=6.13.3" },
 ]
 
 [[package]]
@@ -4361,11 +4361,11 @@ wheels = [
 
 [[package]]
 name = "pypdf"
-version = "6.13.2"
+version = "6.13.3"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/99/0a/48fe05c6bb3aa4bb4d2a4079a383d33c0dfec1edf613a642f07d8b8b5c2e/pypdf-6.13.2.tar.gz", hash = "sha256:5a96a17dbdfbf9c2ab24c0a13fa0aba182be22ba6f283098712c16fc242f509f", size = 6479250, upload-time = "2026-06-10T16:42:34.5Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/17/18/9947cc201af9ccf76720fd3347bf4f70eb882ce3fcf4cb05f7443e4cf871/pypdf-6.13.3.tar.gz", hash = "sha256:f3cb822769725f1bac658c406cfc9460399043f3750c2d3e4650e0a85eacabd7", size = 6484063, upload-time = "2026-06-17T15:22:00.898Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/cb/17/378943705992f74e451a06de3401ce68e3213763c81e44d0614559c45599/pypdf-6.13.2-py3-none-any.whl", hash = "sha256:6eeb9e57693f29d41bd01255d02660cbbb41fd7fc818a982677389a35e4f2083", size = 346555, upload-time = "2026-06-10T16:42:32.37Z" },
+    { url = "https://files.pythonhosted.org/packages/94/56/2967e621598987905fb8cdfadd8f8de6b5c68c9351f0523c4df8409f28f1/pypdf-6.13.3-py3-none-any.whl", hash = "sha256:c6e3f86afb625791510b02ad5480e94b63970bb957df75d44657c282ecc52224", size = 347288, upload-time = "2026-06-17T15:21:59.512Z" },
 ]
 
 [[package]]