From 3b73a2cc80b184e349ff81783ba04c00e29fa6eb Mon Sep 17 00:00:00 2001
From: bartzbeielstein <32470350+bartzbeielstein@users.noreply.github.com>
Date: Sun, 15 Mar 2026 19:18:38 +0100
Subject: [PATCH 1/2] Update uv.lock

---
 uv.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/uv.lock b/uv.lock
index b7864c09..17e0b664 100644
--- a/uv.lock
+++ b/uv.lock
@@ -2795,7 +2795,7 @@ wheels = [
 
 [[package]]
 name = "spotoptim"
-version = "0.8.0"
+version = "0.10.0"
 source = { editable = "." }
 dependencies = [
     { name = "black" },

From 4f76eaed7308a76efaf62c06b4d4d76c2bb7dad0 Mon Sep 17 00:00:00 2001
From: bartzbeielstein <32470350+bartzbeielstein@users.noreply.github.com>
Date: Sun, 15 Mar 2026 19:25:58 +0100
Subject: [PATCH 2/2] fix(security): address Scorecard supply-chain findings

- Pin codeql-action steps to full commit SHA (v3.32.6) to fix
  Pinned-Dependencies check
- Add top-level `permissions: read-all` to fix Token-Permissions check
- Bump scikit-learn minimum to >=1.5.0 to fix PYSEC-2024-110 /
  GHSA-jw8x-6495-233v (CVE-2024-5206)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/codeql.yml | 8 +++++---
 pyproject.toml               | 2 +-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 44eb831c..b73a5158 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -12,6 +12,8 @@ on:
   schedule:
     - cron: "30 1 * * 1"  # Weekly on Monday
 
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze (python)
@@ -26,15 +28,15 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
         with:
           languages: python
           queries: security-extended
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@820e3160e279568db735cee8ed8f8e77a6da7818 # v3.32.6
         with:
           category: /language:python
diff --git a/pyproject.toml b/pyproject.toml
index 141d6bfd..54a6e22c 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -16,7 +16,7 @@ requires-python = ">=3.13"
 dependencies = [
     "numpy>=1.24.3",
     "scipy>=1.10.1",
-    "scikit-learn>=1.3.0",
+    "scikit-learn>=1.5.0",
     # MkDocs dependencies removed — documentation now uses Quarto + quartodoc.
     # Install doc-build tools via: pip install spotoptim[docs]
     # or: pip install -r requirements-docs.txt