Fix uv audit vulnerabilities

lat.md/architecture.md

@@ -28,6 +28,12 @@ The April 2026 benchmark on Apple Silicon shows the Rust extension as the best o
 
 Reproduction docs require contributors to record machine, OS, Python, and tool availability before comparing results. `benchmark_all.py` mixes library calls and CLI subprocesses intentionally, so its Go and Zig rows include process startup overhead.
 
+## Dependency security
+
+Dependency floors and lockfiles keep known vulnerable packages out of runtime and development environments.
+
+Runtime dependencies are declared in `pyproject.toml` and mirrored by `uv.lock`; legacy requirements inputs remain pinned for tooling that still consumes requirements files. Security fixes should update both resolver paths so `uv audit` and requirements-based installs agree.
+
 ## CLI entrypoint
 
 The CLI is a thin adapter that parses options, resolves one input source, and forwards those options into the same converter used by the library API.

pyproject.toml

@@ -29,7 +29,7 @@ classifiers = [
 ]
 dependencies = [
     "defusedxml",
-    "urllib3",
+    "urllib3>=2.7.0",
 ]
 
 [project.urls]
@@ -47,6 +47,7 @@ dev = [
     "pytest-cov",
     "coverage",
     "setuptools",
+    "pygments>=2.20.0",
     "xmltodict>=0.12.0",
 ]
 fast = ["json2xml-rs>=0.1.0"]

requirements-dev.in

@@ -7,4 +7,5 @@ pytest-xdist>=3.8.0
 coverage>=7.10.3
 ruff>=0.12.8
 setuptools>=80.9.0
+pygments>=2.20.0
 # Note: ty is run via uvx, not installed as a dependency

requirements-dev.txt

@@ -22,7 +22,7 @@ pluggy==1.5.0
     # via
     #   pytest
     #   pytest-cov
-pygments==2.19.2
+pygments==2.20.0
     # via pytest
 pytest==9.0.3
     # via
@@ -43,7 +43,7 @@ tomli==2.4.1
     #   pytest
 typing-extensions==4.15.0
     # via exceptiongroup
-urllib3==2.6.3
+urllib3==2.7.0
     # via -r requirements.in
 xmltodict==0.14.2
     # via -r requirements-dev.in

requirements.in

@@ -1,3 +1,3 @@
 defusedxml==0.7.1
-urllib3==2.6.3
+urllib3==2.7.0