## Summary The lockfile `requirements.hashes.source.txt` was updated to pin `pypdf==6.10.2` as part of a CVE fix (PR #1528), but the corresponding constraint in `pyproject.toml` (Line 163) still reads `pypdf>=6.9.2`. ## Problem If the lockfiles are regenerated (e.g., via `make konflux-requirements`), `uv pip compile` will re-read `pyproject.toml` and could resolve a vulnerable version of pypdf. This undermines defense-in-depth for the CVE fix. ## Suggested Fix Update the dependency entry in `pyproject.toml` from: ``` pypdf>=6.9.2 ``` to: ``` pypdf>=6.10.2 ``` This ensures all dependency resolution paths—including lock file regeneration and direct installs—enforce the safe floor version. ## References - PR: https://github.com/lightspeed-core/lightspeed-stack/pull/1528 - Review comment: https://github.com/lightspeed-core/lightspeed-stack/pull/1528#discussion_r3106654293 /cc @tisnik