fix: remediate Trivy dependency findings

[scale-ballen]

Summary

Remediates the Trivy high findings reported for AgentEx package locks.

Changes

• Raises backend python-multipart from >=0.0.26 to >=0.0.27 to resolve CVE-2026-42561.
• Adds a workspace uv override for mako>=1.3.12 so Alembic resolves the fixed Mako release for CVE-2026-44307.
• Regenerates public/uv.lock, which is the lockfile consumed by AgentEx backend Docker builds.
• Bumps AgentEx UI vite from 7.3.1 to 7.3.2 after a fresh Trivy pass surfaced two Vite high findings fixed in 7.3.2.

Validation

• uv lock --check
• uv export --frozen --no-dev --package agentex-backend --no-emit-package agentex-backend
  • confirmed mako==1.3.12
  • confirmed python-multipart==0.0.27
• Verified Vite lock metadata resolves to vite@7.3.2 with npm registry integrity.
• Reran Trivy over the AgentEx superproject worktree after this submodule update:
  • Critical: 0
  • High: 0
  • Medium: 11
  • Low: 2

Notes

Mako is not a direct runtime dependency of AgentEx; it is pulled via Alembic. The uv override is intentional so the resolver keeps Alembic but selects the fixed Mako version.

After disk space was recovered, reran npm install --package-lock-only --ignore-scripts from agentex-ui/. npm completed successfully and produced no additional lockfile drift beyond the intended vite@7.3.2 patch.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​vite@​7.3.1 ⏵ 7.3.2	+1	+23	+1	+2
	pypi/​python-multipart@​0.0.26 ⏵ 0.0.27	+1	+16

View full report