From e76e3abf40492f8d3b5a4110bff2b7250cd0ad69 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Wirtel?= <stephane@wirtel.be>
Date: Tue, 21 Apr 2026 21:38:58 +0200
Subject: [PATCH 1/2] chore(deps): bump pillow from 12.1.1 to 12.2.0 in
 /requirements

Fixes GHSA-whj4-6x5x-4v2j (CVE-2026-40192): FITS GZIP decompression bomb
in Pillow. Affected versions: >= 10.3.0, < 12.2.0.
---
 requirements/dev.txt  | 2 +-
 requirements/main.txt | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/requirements/dev.txt b/requirements/dev.txt
index df9e562..fbad325 100644
--- a/requirements/dev.txt
+++ b/requirements/dev.txt
@@ -142,7 +142,7 @@ packaging==26.0
     #   pip-audit
     #   pip-requirements-parser
     #   pipdeptree
-pillow==12.1.1
+pillow==12.2.0
     # via
     #   -c main.txt
     #   pillow-heif
diff --git a/requirements/main.txt b/requirements/main.txt
index 0f66959..56ca79b 100644
--- a/requirements/main.txt
+++ b/requirements/main.txt
@@ -117,7 +117,7 @@ packaging==26.0
     # via gunicorn
 pandas==3.0.1
     # via -r main.in
-pillow==12.1.1
+pillow==12.2.0
     # via
     #   pillow-heif
     #   wagtail

From 2497cc426c0567646f315c8a4a2606f0af92e927 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Wirtel?= <stephane@wirtel.be>
Date: Tue, 21 Apr 2026 21:42:13 +0200
Subject: [PATCH 2/2] chore(deps): bump django to 6.0.4 and uv to 0.11.7

Fixes pip-audit findings blocking CI:
- django 6.0.3 -> 6.0.4: CVE-2026-33033, CVE-2026-33034, CVE-2026-4292,
  CVE-2026-4277, CVE-2026-3902
- uv 0.10.8 -> 0.11.7: GHSA-pjjw-68hj-v9mw
---
 requirements/dev.txt  | 4 ++--
 requirements/main.txt | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/requirements/dev.txt b/requirements/dev.txt
index fbad325..ee8a2a2 100644
--- a/requirements/dev.txt
+++ b/requirements/dev.txt
@@ -35,7 +35,7 @@ defusedxml==0.7.1
     #   -c main.txt
     #   py-serializable
     #   willow
-django==6.0.3
+django==6.0.4
     # via
     #   -c main.txt
     #   django-debug-toolbar
@@ -212,7 +212,7 @@ urllib3==2.6.3
     # via
     #   -c main.txt
     #   requests
-uv==0.10.8
+uv==0.11.7
     # via -r dev.in
 wagtail==7.2.3
     # via
diff --git a/requirements/main.txt b/requirements/main.txt
index 56ca79b..75366a7 100644
--- a/requirements/main.txt
+++ b/requirements/main.txt
@@ -32,7 +32,7 @@ dj-database-url==3.1.2
     # via -r main.in
 dj-static==0.0.6
     # via -r main.in
-django==6.0.3
+django==6.0.4
     # via
     #   -r main.in
     #   dj-database-url