Add fixes for all GitHub Dependabot security alerts

[forstmeier]

Overview

Changes

• update various packages with security risks

Context

Dependabot told me to do this. So I made Claude do it.

Summary by CodeRabbit

• Chores
  • Updated multiple dependencies to latest compatible versions across infrastructure and application components.
  • Added required dependencies for enhanced platform support.

[coderabbitai]

📝 Walkthrough

Walkthrough

Dependency versions are updated across multiple configuration files: AWS SDK libraries and validator in Rust, sagemaker in Python, and pip and protobuf are added to the infrastructure module. No functional code changes are introduced.

Changes

Cohort / File(s)	Summary
Rust Cargo Dependencies applications/datamanager/Cargo.toml	aws-config bumped from 1.5.8 to 1.5; aws-sdk-s3 updated from 1.48.0 to 1.112; validator updated from 0.18 to 0.20 with derive feature enabled.
Python Infrastructure Dependencies infrastructure/pyproject.toml	Added two new dependencies: pip (>=25.3,<26.0) and protobuf (>=5.29.5,<6.0.0).
Python Main Dependencies pyproject.toml	sagemaker version bumped from 2.252.0 to 2.256.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main purpose of the PR—addressing GitHub Dependabot security alerts by updating dependencies across multiple manifest files (Cargo.toml, pyproject.toml).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch address-dependabot-security-alerts

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[forstmeier]

• Add Markdown check/add language-specific triggers #746
• Add fixes for all GitHub Dependabot security alerts #745 👈 (View in Graphite)
• Various cleanup and tweaks #744
• Add Claude commands/remove Ralph logic #740
• master

This stack of pull requests is managed by Graphite. Learn more about stacking.

[Copilot]

Pull request overview

This PR addresses GitHub Dependabot security alerts by updating vulnerable dependencies across Python and Rust projects.

Changes:

• Updated sagemaker dependency to version 2.256.0 or higher
• Added explicit version constraints for pip and protobuf in infrastructure
• Updated AWS SDK crates and validator crate to address Rust security alerts

Reviewed changes

Copilot reviewed 3 out of 6 changed files in this pull request and generated 1 comment.

File	Description
pyproject.toml	Bumped sagemaker minimum version to 2.256.0
infrastructure/pyproject.toml	Added pip and protobuf with version constraints
applications/datamanager/Cargo.toml	Updated AWS SDK and validator dependencies

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[greptile-apps]

Greptile Overview

Greptile Summary

Updates dependency versions across Rust and Python to address GitHub Dependabot security alerts.

Key changes:

• Rust: Updated aws-sdk-s3 (1.48→1.112), validator (0.18→0.20), and relaxed aws-config to 1.5 semver range in datamanager application
• Python: Updated sagemaker (2.252.0→2.256.0) and added explicit pip (25.3) and protobuf (5.29.5) to infrastructure dependencies
• Cleanup: Removed nested applications/datamanager/Cargo.lock (correct for workspace structure)

All changes are security-focused dependency updates with no breaking API changes expected. Lock files reflect transitive dependency updates.

Confidence Score: 5/5

• This PR is safe to merge - contains only security-focused dependency updates
• All updates are minor/patch version bumps addressing Dependabot security alerts. No breaking changes expected: AWS SDK and validator updates are backward-compatible within their semver ranges, Python packages use minimum version constraints, and the removal of nested Cargo.lock follows proper workspace conventions.
• No files require special attention

Important Files Changed

Filename	Overview
applications/datamanager/Cargo.toml	Updates AWS SDK S3 from 1.48 to 1.112, validator from 0.18 to 0.20, and relaxes aws-config to 1.5 semver range for security fixes
pyproject.toml	Updates sagemaker from >=2.252.0 to >=2.256.0 to address security vulnerability
infrastructure/pyproject.toml	Adds pip >=25.3 and protobuf >=5.29.5 dependencies to address security vulnerabilities in transitive dependencies

The base branch was changed.

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@applications/datamanager/Cargo.toml`:
- Around line 30-31: The dependency bumps for aws-config and aws-sdk-s3 are too
loose/large: update Cargo.toml to pin aws-config to a concrete patch version
(e.g., "1.5.18" or the chosen vetted 1.5.x) and either pin aws-sdk-s3 to a
specific 1.112.x patch (e.g., "1.112.0" or the vetted patch) or revert to a
previously tested minor version; after changing the version strings for
aws-config and aws-sdk-s3, run cargo update -p aws-config -p aws-sdk-s3 and run
the project tests/compile to verify there are no API breakages (inspect usages
of aws_config and aws_sdk_s3 modules and adjust callsites if the newer sdk
introduced API changes).

In `@infrastructure/pyproject.toml`:
- Around line 12-13: Remove the direct pins "pip>=25.3,<26.0" and
"protobuf>=5.29.5,<6.0.0" from the project dependencies: pip must not be a
runtime dependency (remove the "pip..." entry) and protobuf appears to be a
transitive pin and should be managed via dependency constraints instead of a
direct dependency; add the protobuf pin (and pip if you need to enforce a
specific pip version for builds) into the constraints section (e.g.
[tool.uv.constraint-dependencies] or your repo's constraints file) and update
the PR with confirmation that these changes were approved by the security review
process if they originated from Dependabot.

In `@pyproject.toml`:
- Line 11: Remove the duplicated root dependencies from the child workspace
pyproject: delete the entries for structlog>=25.5.0, numpy>=1.26.4, and
tinygrad>=0.10.3 from applications/equitypricemodel/pyproject.toml (keep the
sagemaker>=2.256.0 line), ensuring the child relies on the root pyproject
definitions; after removal, update the workspace lockfile/install (e.g., run
poetry or your workspace package manager) so the dependency graph reflects the
change.