chore(docs): sync supply-chain record with pyproject after #531/#553 [PYSDK-114]

[helmut-hoffer-von-ankershoffen]

🛡️ Resolves PYSDK-114. Governed by PR-SOP-01 Problem Resolution and Non-Conforming Products.

Why this PR exists

make audit on main is green and every pyproject.toml lower bound correctly protects downstream consumers — including for the two CVE-driven bot bumps in this PR's scope. But the auditable record in SUPPLY_CHAIN_VULNERABILITIES.md and one inline annotation in pyproject.toml lag behind reality after merges of #531 (nicegui) and #553 (nbconvert). Reviewers reading the doc would see a snapshot inconsistent with the metadata published to PyPI.

This PR closes that gap. It is a pure record-keeping fix — no version constraint changes, no uv lock regeneration, no consumer-visible behaviour change.

Key property: no dependency was upgraded

Every existing lower bound in pyproject.toml is preserved. The diff only:

• raises one row's Constraint column in SUPPLY_CHAIN_VULNERABILITIES.md to match what is already in pyproject.toml
• extends two rows' Protects against columns with CVE ids whose fixes the existing bound already enforces
• rewrites one inline # CVE-… annotation in pyproject.toml to name the CVEs whose fixes the bound already enforces

What changed

SUPPLY_CHAIN_VULNERABILITIES.md — nicegui[native] row (line 104)

• Constraint column: >=3.9.0,<4 → >=3.11.0,<4 (matches pyproject.toml after chore(deps): bump nicegui to v3.11.0 [security] + adapt to 3.10/3.11 GUI lifecycle changes #531).
• Protects-against list: append CVE-2026-39844 (>=3.10.0) (CVSS 5.9 Medium).
• Since column: append ; 2026-04-26 raised to >=3.11.0 (#531).

SUPPLY_CHAIN_VULNERABILITIES.md — nbconvert row (line 124)

• Protects-against list: extended with CVE-2026-39377 (>=7.17.1) and CVE-2026-39378 (>=7.17.1) (both CVSS 6.5 Medium). Existing CVE-2025-53000 (>=7.17.0) reformatted to match the rest of the table's "since-which-version" convention.
• Severity stays High (max across the protected CVEs).

pyproject.toml — nbconvert inline annotation (line 158)

- "nbconvert>=7.17.1",  # CVE-2025-53000 (>=7.17.0, Dependabot #424); Dependabot #553 raised to 7.17.1
+ "nbconvert>=7.17.1",  # CVE-2025-53000 (>=7.17.0, Dependabot #424); CVE-2026-39377, CVE-2026-39378 (>=7.17.1, Dependabot #553)

Accepted advisories — unchanged

The only entry in the Active acceptances table is CVE-2026-3219 (pip archive type confusion, dev-only, no upstream fix released yet). Re-verified this run: still warranted; pip 26.0.1 is the latest, fix is in unreleased pip 26.1.

Auditable record — changes to SUPPLY_CHAIN_VULNERABILITIES.md

Active acceptances — added: none. — removed: none. — changed: none.

Enforced lower bounds — raised

• nicegui[native] >=3.9.0,<4 → >=3.11.0,<4 — adds documented protection against CVE-2026-39844 (Medium).

Enforced lower bounds — annotation only (no version change)

• nbconvert >=7.17.1: Protects against extended with CVE-2026-39377 (Medium) and CVE-2026-39378 (Medium); severity stays High.

Test plan

• make audit green (only the existing CVE-2026-3219 ignore fires; still justified)
• make lint green
• make test_unit green
• Manual cross-check: every CVE/GHSA id in updated SUPPLY_CHAIN_VULNERABILITIES.md rows matches an inline # CVE-… annotation in pyproject.toml and vice versa
• Manual cross-check: every pyproject.toml lower bound covered by an updated row equals or exceeds the doc-row constraint

Out of scope

• New CVE remediation — none surfaced this run.
• Sort-order rot of the Enforced lower bounds table (rows from 2025-12-10 interleaved with 2026-04-24) — pre-existing, not introduced here. A separate audit-skill enhancement is being requested.

🤖 Generated with Claude Code

[Copilot]

Pull request overview

This PR synchronizes the project’s auditable supply-chain vulnerability record (SUPPLY_CHAIN_VULNERABILITIES.md) and inline CVE annotations in pyproject.toml with dependency lower bounds that are already enforced (post-#531 and #553), keeping the documentation consistent with published metadata.

Changes:

• Update the nicegui[native] row in SUPPLY_CHAIN_VULNERABILITIES.md to reflect the already-enforced >=3.11.0,<4 constraint and include CVE-2026-39844 in the protected set.
• Expand the nbconvert row in SUPPLY_CHAIN_VULNERABILITIES.md to include CVE-2026-39377 and CVE-2026-39378 (while preserving the existing lower bound).
• Refine the inline nbconvert CVE annotation in pyproject.toml to match the CVEs protected by the existing >=7.17.1 bound.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
pyproject.toml	Updates the nbconvert inline CVE annotation under the jupyter extra to reflect current protected CVEs.
SUPPLY_CHAIN_VULNERABILITIES.md	Updates enforced-lower-bound records for nicegui[native] and nbconvert to match pyproject.toml and current CVE coverage.

[claude]

Claude finished @helmut-hoffer-von-ankershoffen's task in 5m 7s —— View job

---

Review Complete ✅

I've completed a comprehensive review of PR #605 — a documentation synchronization for supply chain vulnerabilities.

---

Summary

This PR correctly synchronizes SUPPLY_CHAIN_VULNERABILITIES.md with pyproject.toml after dependency bumps in #531 (nicegui) and #553 (nbconvert). No version constraints were changed — this is pure record-keeping.

What Was Reviewed

✅ 3 Documentation Updates:

• nicegui[native]: Constraint >=3.9.0,<4 → >=3.11.0,<4, added CVE-2026-39844
• nbconvert: Extended CVE list with CVE-2026-39377 and CVE-2026-39378
• pyproject.toml: Updated inline comment for nbconvert

✅ All Critical Checks Passed:

• Conventional commits (chore(docs): format)
• Code quality (ruff check passed)
• Security audit (make audit green, CVE-2026-3219 properly accepted)
• Documentation accuracy (all CVEs match between doc and pyproject.toml)

✅ Cross-Validation:

• nicegui[native] constraint in pyproject.toml line 81 matches doc line 104
• nbconvert constraint in pyproject.toml line 158 matches doc line 124
• All inline CVE comments match "Protects against" columns

Verdict

✅ claude:review:passed

This is exemplary supply chain management — proactive (discovered by automated audit), thorough (all CVEs cross-referenced), and transparent (clear documentation of what changed and why).

Zero risk: No consumer-visible changes, only documentation brought into sync with reality.

---

📝 Full review posted as PR comment
🏷️ Label applied: claude:review:passed
🔗

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

[claude]

🤖 Claude Code Review Complete

I've completed my review of this supply chain vulnerability documentation sync PR.

Summary

This PR correctly synchronizes the auditable record in SUPPLY_CHAIN_VULNERABILITIES.md with the actual dependency constraints in pyproject.toml after merges of #531 (nicegui 3.9.0→3.11.0) and #553 (nbconvert 7.17.0→7.17.1).

Key Property: No dependency version changes — constraints in pyproject.toml were already correct. This is purely a record-keeping fix to bring documentation into sync.

What Was Verified

✅ Documentation Accuracy: All CVE references and version constraints in the doc table match pyproject.toml exactly
✅ Security Audit: make audit passes (only CVE-2026-3219 properly accepted)
✅ Code Quality: ruff check passes
✅ Conventional Commits: Proper chore(docs): format
✅ Zero Risk: No consumer-visible changes

Cross-Reference Validation

Package	pyproject.toml	SUPPLY_CHAIN_VULNERABILITIES.md	Match
nicegui[native]	>=3.11.0,<4 (line 81)	>=3.11.0,<4 (line 104)	✅
nbconvert	>=7.17.1 (line 158)	>=7.17.1 (line 124)	✅

All inline CVE comments match the "Protects against" columns.

Verdict

✅ claude:review:passed

This is exemplary supply chain management — proactive, thorough, and transparent. The PR description clearly explains the gap (doc lagged after bot PRs merged) and what changed (three documentation updates, zero version bumps).

---

Review completed by Claude Code | View detailed review | View job run

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.
see 20 files with indirect coverage changes