5.12.8
(chore): Bump Poetry from 1.8.5 to 2.4.1 in the python-sdk and pydantic-model
container images. Clears CVE-2026-34591 (Poetry <2.3.3 stored credentials
in cleartext when keyring storage was unavailable). pyproject.toml’s
poetry-core constraint moves from ^1.9.0 to ^2.0.0 to stay in
lockstep with Poetry 2.4.1’s bundled poetry-core 2.4.0 under
virtualenvs.create=false. poetry.lock regenerated under Poetry 2.4.1.
5.12.7
(chore): Patch the bundled ip-address to v10.2.0 in the python-sdk container to
address CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in Address6 HTML-
emitting methods). npm 11.12.1 (shipped with node:24.15) bundles
ip-address@10.1.0 via socks; this overlays the published 10.2.0
tarball in place at image build time. Also bumps the container-level
pip to 26.1 to clear CVE-2025-8869, CVE-2026-3219, CVE-2026-6357, and
CVE-2026-1703 (self-update flaw running after wheel install). Poetry
stays at 1.8.5 because pyproject.toml’s virtualenvs.create=false flow
requires poetry-core ^1.9.0.