[MEDIUM] Dependency updates and PyIceberg pin #354
Description
This issue tracks dependency updates and security maintenance identified in the audit.
Security-Maintained Dependencies
PyIceberg hard-pinned preventing security updates
Package: pyiceberg==0.10.0 → 0.11.1 available
Hard pin prevents security patches. Package handles S3 credentials and catalog authentication.
Available Updates
| Package | Current | Latest | Priority |
|---|---|---|---|
| dagster | 1.12.17 | 1.12.22 | Medium |
| dlt | 1.22.2 | 1.24.0 | Medium |
| fastapi | 0.135.1 | 0.135.3 | Medium |
| uvicorn | 0.41.0 | 0.43.0 | Medium |
| ty | 0.0.1a23 | 0.0.28 | Medium |
| dbt-core | 1.11.6 | 1.11.7 | Low |
| sqlalchemy | 2.0.47 | 2.0.49 | Low |
| pandera | 0.29.0 | 0.30.1 | Low |
| deltalake | 1.4.2 | 1.5.0 | Low |
| duckdb | 1.4.4 | 1.5.1 | Low |
| trino | 0.336.0 | 0.337.0 | Low |
| grpcio | 1.78.0 | 1.80.0 | Low |
Security Status
No critical or high-severity CVEs identified in currently locked versions.
- jinja2 3.1.6: Clean (CVE-2024-22195 affects <3.1.3)
- requests 2.32.5: Clean
- urllib3 2.6.3: Clean
- certifi 2026.2.25: Latest CA bundle
- sqlalchemy 2.0.47: Clean
- pydantic 2.12.5: Current
Recommended Actions
- Evaluate PyIceberg 0.11.1 for compatibility and unpin or upgrade
- Run
uv lock --upgradein a feature branch - Run full test suite (
make check) - Address any PyIceberg compatibility issues
Severity: P2 - Medium
Category: Dependencies
Audit Reference: AUDIT.md