From 9f9a7cf66b2790e115e7987f7448a63ce1779fd4 Mon Sep 17 00:00:00 2001
From: sokumon <sohamkulkarns9@gmail.com>
Date: Thu, 22 Jan 2026 11:23:36 +0530
Subject: [PATCH 1/3] chore: bump weasyprint

---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index fae18e6cec..fe978601b8 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -26,7 +26,7 @@ dependencies = [
     "PyQRCode~=1.2.1",
     "PyYAML~=6.0.3",
     "RestrictedPython~=8.1",
-    "WeasyPrint==66.0",
+    "WeasyPrint==68.0",
     "pydyf==0.12.1",
     "Werkzeug==3.1.5",
     "Whoosh~=2.7.4",

From a2604cfff576c1d4ccd4395f18a58effd493b254 Mon Sep 17 00:00:00 2001
From: Sagar Vora <16315650+sagarvora@users.noreply.github.com>
Date: Fri, 23 Jan 2026 05:09:36 +0530
Subject: [PATCH 2/3] revert: undo ignore vuln

---
 .github/workflows/linters.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
index 3ce157aec6..b9563979b5 100644
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@@ -95,7 +95,7 @@ jobs:
         run: |
           pip install pip-audit
           cd ${GITHUB_WORKSPACE}
-          pip-audit --desc on --ignore-vuln PYSEC-2023-312 --ignore-vuln CVE-2025-68616 .
+          pip-audit --desc on --ignore-vuln PYSEC-2023-312 .
 
   precommit:
     name: 'Pre-Commit'

From b66e899d351b7fc8e5f6589e2273d3cc4478f631 Mon Sep 17 00:00:00 2001
From: Sagar Vora <16315650+sagarvora@users.noreply.github.com>
Date: Fri, 23 Jan 2026 05:11:10 +0530
Subject: [PATCH 3/3] build: pin tinycss2 dependency manually

---
 pyproject.toml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index fe978601b8..e076edf958 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -27,12 +27,14 @@ dependencies = [
     "PyYAML~=6.0.3",
     "RestrictedPython~=8.1",
     "WeasyPrint==68.0",
+    # we don't use tinycss2 directly, but pinned to ensure compatibility with WeasyPrint and bleach
+    "tinycss2~=1.5.1,<1.6",
     "pydyf==0.12.1",
     "Werkzeug==3.1.5",
     "Whoosh~=2.7.4",
     "beautifulsoup4~=4.13.5",
     "bleach-allowlist~=1.0.3",
-    "bleach[css]~=6.3.0",
+    "bleach~=6.3.0",
     "chardet~=5.2.0",
     "croniter~=6.0.0",
     "cryptography~=46.0.3",