From 911ab64520b274e85e64d0b6904f942796fdf26d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 23 Feb 2026 05:40:18 +0000
Subject: [PATCH 1/5] Bump the python-dependencies group across 2 directories
 with 2 updates

Updates the requirements on [paramiko](https://github.com/paramiko/paramiko) and [pip-tools](https://github.com/jazzband/pip-tools) to permit the latest version.

Updates `paramiko` to 4.0.0
- [Commits](https://github.com/paramiko/paramiko/compare/release-1.7.4...4.0.0)

Updates `pip-tools` from 7.5.1 to 7.5.3
- [Release notes](https://github.com/jazzband/pip-tools/releases)
- [Changelog](https://github.com/jazzband/pip-tools/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jazzband/pip-tools/compare/v7.5.1...v7.5.3)

---
updated-dependencies:
- dependency-name: paramiko
  dependency-version: 4.0.0
  dependency-type: direct:production
  dependency-group: python-dependencies
- dependency-name: pip-tools
  dependency-version: 7.5.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/utils/requirements_audit.txt | 2 +-
 pyproject.toml                       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/utils/requirements_audit.txt b/.github/utils/requirements_audit.txt
index a9db4222..1761760b 100644
--- a/.github/utils/requirements_audit.txt
+++ b/.github/utils/requirements_audit.txt
@@ -1 +1 @@
-pip-tools==7.5.1
+pip-tools==7.5.3
diff --git a/pyproject.toml b/pyproject.toml
index d63d5339..ff9ab438 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -31,7 +31,7 @@ dependencies = [
     # Strategy dependencies
     "celery>=5.6.0,<6",
     "openpyxl>=3.1.5,<4",
-    "paramiko<4",
+    "paramiko<5",
     "Pillow>=10.4.0,<13",
     "psycopg[binary]>=3.2.6,<4",
     "pysftp~=0.2.9",

From cd577a34c77f8c6c766e8a31c446837943860534 Mon Sep 17 00:00:00 2001
From: Casper Welzel Andersen <casper.w.andersen@sintef.no>
Date: Tue, 10 Mar 2026 09:01:04 +0100
Subject: [PATCH 2/5] Update pip-audit CI job

Ignore diskcache CVE-2025-69872 safety issue.
Remove temporary installation of older pip version.
---
 .github/workflows/ci_tests.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci_tests.yml b/.github/workflows/ci_tests.yml
index dbdb9f68..98a1f154 100644
--- a/.github/workflows/ci_tests.yml
+++ b/.github/workflows/ci_tests.yml
@@ -75,9 +75,6 @@ jobs:
         pip install -U setuptools wheel
         pip install -U -r .github/utils/requirements_audit.txt
 
-        # TEMPORARY: Install pip<25.3 to avoid issues with pip-compile and pip 25.3+
-        pip install "pip<25.3"
-
     - name: Create requirements.txt for pip-audit
       run: pip-compile --output-file="${{ runner.temp }}/requirements.txt" --all-extras --verbose --color "${{ github.workspace }}/pyproject.toml"
 
@@ -85,6 +82,12 @@ jobs:
       uses: pypa/gh-action-pip-audit@v1.1.0
       with:
         inputs: '${{ runner.temp }}/requirements.txt'
+        # CVE-2025-69872: DiskCache 5.6.3
+        #   DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default.
+        #   An attacker with write access to the cache directory can achieve arbitrary code execution
+        #   when a victim application reads from the cache.
+        ignore-vulns: |
+          CVE-2025-69872
 
   pytest-linux:
     name: pytest (linux-py${{ matrix.python-version }})

From 0cc3f456cf49f5191fdc678d28e3d662ef62c946 Mon Sep 17 00:00:00 2001
From: Casper Welzel Andersen <casper.w.andersen@sintef.no>
Date: Tue, 10 Mar 2026 09:06:52 +0100
Subject: [PATCH 3/5] Added notice about the diskcache vulnerability to docs

---
 README.md     | 4 ++++
 docs/index.md | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/README.md b/README.md
index 902fafb7..dfb5b228 100644
--- a/README.md
+++ b/README.md
@@ -12,6 +12,10 @@
 
 We highly recommend reading this page in [the official documentation](https://emmc-asbl.github.io/oteapi-core).
 
+> **Important**: When using the `DataCache`, which is based on the [`diskcache`](https://grantjenks.com/docs/diskcache/) library, it is important to note that the cache uses pickle for serialization.
+> If not properly secured, an attacker with write access to the cache directoy can achieve arbitrary code execution.
+> This issue is described in further detail in the [CVE-2025-69872](https://www.cve.org/CVERecord?id=CVE-2025-69872) vulnerability.
+
 ## About OTEAPI Core
 
 OTEAPI Core provides the core functionality of OTEAPI, which stands for the *Open Translation Environment API*.
diff --git a/docs/index.md b/docs/index.md
index 8885b744..69a4e946 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -12,6 +12,10 @@
 
 We highly recommend reading this page in [the official documentation](https://emmc-asbl.github.io/oteapi-core).
 
+> **Important**: When using the `DataCache`, which is based on the [`diskcache`](https://grantjenks.com/diskcache/) library, it is important to note that the cache uses pickle for serialization.
+> If not properly secured, an attacker with write access to the cache directoy can achieve arbitrary code execution.
+> This issue is described in further detail in the [CVE-2025-69872](https://www.cve.org/CVERecord?id=CVE-2025-69872) vulnerability.
+
 ## About OTEAPI Core
 
 OTEAPI Core provides the core functionality of OTEAPI, which stands for the *Open Translation Environment API*.

From 340c7667082cda0795c20cc707932baf76e9abec Mon Sep 17 00:00:00 2001
From: Casper Welzel Andersen <casper.w.andersen@sintef.no>
Date: Tue, 10 Mar 2026 09:09:29 +0100
Subject: [PATCH 4/5] Update README notice to render nicely in docs

---
 README.md     | 7 ++++---
 docs/index.md | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index dfb5b228..22c7f8f5 100644
--- a/README.md
+++ b/README.md
@@ -12,9 +12,10 @@
 
 We highly recommend reading this page in [the official documentation](https://emmc-asbl.github.io/oteapi-core).
 
-> **Important**: When using the `DataCache`, which is based on the [`diskcache`](https://grantjenks.com/docs/diskcache/) library, it is important to note that the cache uses pickle for serialization.
-> If not properly secured, an attacker with write access to the cache directoy can achieve arbitrary code execution.
-> This issue is described in further detail in the [CVE-2025-69872](https://www.cve.org/CVERecord?id=CVE-2025-69872) vulnerability.
+!!! warning "Security Notice"
+    When using the `DataCache`, which is based on the [`diskcache`](https://grantjenks.com/docs/diskcache/) library, it is important to note that the cache uses pickle for serialization.
+    If not properly secured, an attacker with write access to the cache directoy can achieve arbitrary code execution.
+    This issue is described in further detail in the [CVE-2025-69872](https://www.cve.org/CVERecord?id=CVE-2025-69872) vulnerability.
 
 ## About OTEAPI Core
 
diff --git a/docs/index.md b/docs/index.md
index 69a4e946..affdb7f4 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -12,9 +12,10 @@
 
 We highly recommend reading this page in [the official documentation](https://emmc-asbl.github.io/oteapi-core).
 
-> **Important**: When using the `DataCache`, which is based on the [`diskcache`](https://grantjenks.com/diskcache/) library, it is important to note that the cache uses pickle for serialization.
-> If not properly secured, an attacker with write access to the cache directoy can achieve arbitrary code execution.
-> This issue is described in further detail in the [CVE-2025-69872](https://www.cve.org/CVERecord?id=CVE-2025-69872) vulnerability.
+!!! warning "Security Notice"
+    When using the `DataCache`, which is based on the [`diskcache`](https://grantjenks.com/diskcache/) library, it is important to note that the cache uses pickle for serialization.
+    If not properly secured, an attacker with write access to the cache directoy can achieve arbitrary code execution.
+    This issue is described in further detail in the [CVE-2025-69872](https://www.cve.org/CVERecord?id=CVE-2025-69872) vulnerability.
 
 ## About OTEAPI Core
 

From 7a9c77063956e02882e2daa3477003af74353536 Mon Sep 17 00:00:00 2001
From: Casper Welzel Andersen <casper.w.andersen@sintef.no>
Date: Tue, 10 Mar 2026 09:12:19 +0100
Subject: [PATCH 5/5] Revert paramiko update

ALso add comment as to why this is kept below v4.
---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index ff9ab438..8230491e 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -31,7 +31,7 @@ dependencies = [
     # Strategy dependencies
     "celery>=5.6.0,<6",
     "openpyxl>=3.1.5,<4",
-    "paramiko<5",
+    "paramiko<4",  # version 4+ has some breaking changes and is not yet supported by pysftp
     "Pillow>=10.4.0,<13",
     "psycopg[binary]>=3.2.6,<4",
     "pysftp~=0.2.9",