Symptom

The repo’s security tab still showed a handful of open Dependabot alerts even though the recent QA-Sec fix train (netty, jackson, logback, bouncycastle, log4j2, commons-lang3) had landed. Reviewed against the actual manifests, they split into two buckets: alerts already mitigated on main (Maven pins/floors in gradle/libs.versions.toml + build.gradle.kts that GitHub’s manifest parser cannot see resolving), and two genuinely-open vulnerable dependencies in the non-JVM manifests:

Root cause

Two seams let patched-elsewhere dependencies stay vulnerable here:

  1. The Kotlin/Wasm toolchain pins exact ws versions per requester, so two side-by-side ws entries aged in the autogenerated lockfile with no resolution() override to unify them past the patched floor.
  2. requests fixed CVE-2026-25645 only in 2.33.0+, which requires Python >= 3.10. As long as lambdas/python declared 3.9 support, uv dutifully kept a second, permanently-unfixable requests 2.32.x resolution branch in the lockfile.

Fix

Prevention