# Python code quality tools
# Most tools run via uvx (ruff, ty, bandit, safety, pip-audit)
# This file contains tools that need project context (run with uv run)

# Testing tools (need access to project code)
pytest==8.3.4
pyyaml>=6.0  # Required for yaml_merger tests
pytest-cov==6.0.0
pytest-mock==3.15.1
pytest-asyncio==0.24.0

# Type stubs and runtime deps for optional modules
# (pinned for reproducibility)
pydantic==2.10.4
# FastAPI 0.128.0 includes starlette fixes for:
# - CVE-2025-54121 (GHSA-2c2j-9gv5-cj73) - DoS via multipart forms
# - CVE-2025-62727 (GHSA-7f5h-v6xp-fcq8) - DoS via Range header merging
fastapi==0.128.0
httpx==0.28.1

# Security: Pin filelock to fix GHSA-qmgc-5h2g-mvrw
# Minimum version 3.20.3 required for security fix
filelock>=3.20.3
