Sec/dependencies (#332)

* sec(deps): Don't use override-dependencies as this is not respected by uvx, but use regular dependency trees
* chore(gui): Don't use windowed mode for launchpad if on Python 3.14
* chore(wsi): Reject running wsi dicom commands on Python 3.14, given transitive dependency of highdicom not yet supported on that Python version

Author: helmut-hoffer-von-ankershoffen

pyproject.toml

@@ -71,6 +71,7 @@ classifiers = [
     "Natural Language :: English",
 ]
 
+# WARNING: The upper bound of requires-python is *not* respected by uvx
 requires-python = ">=3.11, <3.15"
 
 dependencies = [
@@ -96,7 +97,7 @@ dependencies = [
     "duckdb>=1.4.2,<=2",
     "google-cloud-storage>=3.6.0,<4",
     "crc32c>=2.8,<3", # TODO(Helmut): Remove and back to google_crc32c when that supports Python 3.14
-    "highdicom>=0.26.1,<1",
+    "highdicom>=0.26.1,<1; python_version < '3.14'", # transitive dependency pyjpegls not yet supporting Python 3.14
     "html-sanitizer>=2.6.0,<3",
     "httpx>=0.28.1,<1",
     "idc-index-data==23.0.1",
@@ -124,15 +125,32 @@ dependencies = [
     "truststore>=0.10.4,<1",
     "urllib3>=2.6.1,<3",
     "wsidicom>=0.28.1,<1",
+    # Transitive overrides
+    # WARNING: one cannot negate or downgrade a dependency required here. use override-dependencies for that.
+    "rfc3987; sys_platform == 'never'", # GPLv3
+    "h11>=0.16.0",                      # CVE-2025-43859
+    "tornado>=6.5.0",                   # CVE-2025-47287
+    "urllib3>=2.5.0",                   # CVE-2025-50181, CVE-2025-50182,
+    "pillow>=11.3.0",                   # CVE-2025-48379,
+    "aiohttp>=3.12.14",                 # CVE-2025-53643
+    "starlette>=0.47.2",                # CVE-2025-54121
+    "starlette>=0.49.1",                # GHSA-7f5h-v6xp-fcq8
+    "lxml>=6.0.2",                      # For python 3.14 pre-built wheels
 ]
 
 [project.optional-dependencies]
 pyinstaller = ["pyinstaller>=6.14.0,<7"]
-jupyter = ["jupyter>=1.1.1,<2"]
+jupyter = [
+    "jupyter>=1.1.1,<2",    
+    # Transitive overrides
+    # WARNING: one cannot negate or downgrade a dependency required here. use override-dependencies for that.
+    "jupyter-core>=5.8.1",              # CVE-2025-30167
+    "jupyterlab>=4.4.9",                # CVE-2025-59842
+]
 marimo = [
     "cloudpathlib>=0.23.0,<1",
     "ipython>=9.8.0,<10",
-    "marimo>=0.18.3,<1",
+    "marimo>=0.18.4,<1",
     "matplotlib>=3.10.7,<4",
     "shapely>=2.1.0,<3",
 ]
@@ -185,27 +203,18 @@ dev = [
     "types-pyyaml>=6.0.12.20250915,<7",
     "types-requests>=2.32.4.20250913,<3",
     "watchdog>=6.0.0,<7",
+    # Transitive overrides
+    # WARNING: one cannot negate or downgrade a dependency required here. use override-dependencies for that.
+    "pip>=5.3",                         # CVE-2025-8869  
+    "uv>=0.9.7",                        # CVE-2025-54368, GHSA-w476-p2h3-79g9, GHSA-pqhf-p39g-3x64
+    "fonttools>=4.60.2",                # CVE-2025-66034 (GHSA-768j-98cg-p3fv), dep of matplotlib
 ]
 
 [tool.uv]
 required-version = ">=0.9.7" # CVE-2025-54368, GHSA-w476-p2h3-79g9, GHSA-pqhf-p39g-3x64
+# WARNING: override-dependencies is *not* respected by uvx
 override-dependencies = [ # https://github.com/astral-sh/uv/issues/4422
-    "rfc3987; sys_platform == 'never'", # GPLv3
-    "h11>=0.16.0",                      # CVE-2025-43859
-    "tornado>=6.5.0",                   # CVE-2025-47287
-    "jupyter-core>=5.8.1",              # CVE-2025-30167
-    "urllib3>=2.5.0",                   # CVE-2025-50181, CVE-2025-50182,
-    "pillow>=11.3.0",                   # CVE-2025-48379,
-    "aiohttp>=3.12.14",                 # CVE-2025-53643
-    "starlette>=0.47.2",                # CVE-2025-54121
-    "uv>=0.9.7",                        # CVE-2025-54368, GHSA-w476-p2h3-79g9, GHSA-pqhf-p39g-3x64
-    "jupyterlab>=4.4.9",                # CVE-2025-59842
-    "pip>=5.3",                         # CVE-2025-8869  
-    "starlette>=0.49.1",                # GHSA-7f5h-v6xp-fcq8
-    "fonttools>=4.60.2",                # CVE-2025-66034 (GHSA-768j-98cg-p3fv), dep of matplotlib
-    "pyjpegls; python_version < '3.14'", # No Python 3.14 support yet
-    "pytest>=9.0.1",                    # pytest-md-report depends on pytest<9 unnecessarily
-    "lxml>=6.0.2",                      # For python 3.14 pre-built wheels
+    "pytest>=9.0.1",    # pytest-md-report depends on pytest<9 unnecessarily
 ]
 
 [tool.uv.sources]

src/aignostics/utils/_gui.py

@@ -73,6 +73,12 @@ def gui_run(  # noqa: PLR0913, PLR0917
         native = False
         show = True
 
+    # On Windows with python 3.14 don't use native mode due to pythonnet not yet
+    # supported
+    if native and platform.system() == "Windows" and platform.python_version_tuple() >= ("3", "14"):
+        native = False
+        show = True
+
     gui_register_pages()
 
     ui.run(

src/aignostics/wsi/_cli.py

@@ -12,6 +12,33 @@
 from ._service import Service
 from ._utils import print_slide_info, print_study_info
 
+# Python version for highdicom compatibility check
+_PYTHON_VERSION = f"{sys.version_info.major}.{sys.version_info.minor}"
+_HIGHDICOM_UNSUPPORTED_VERSIONS = {"3.14"}
+
+
+def _check_highdicom_available() -> bool:
+    """Check if highdicom is available (not supported on Python 3.14+).
+
+    Returns:
+        True if highdicom can be imported, False otherwise.
+    """
+    try:
+        from ._pydicom_handler import PydicomHandler  # noqa: PLC0415, F401
+
+        return True
+    except ImportError:
+        return False
+
+
+def _print_highdicom_unsupported_error() -> None:
+    """Print error message when highdicom is not available."""
+    console.print(f"[red]This command requires 'highdicom' which is not available on Python {_PYTHON_VERSION}.[/red]")
+    console.print("[yellow]Please run with Python 3.13 or earlier:[/yellow]")
+    console.print("[green]  uvx -p 3.13 aignostics wsi dicom <command> ...[/green]")
+    sys.exit(1)
+
+
 cli = typer.Typer(name="wsi", help="Operations on whole slide images.")
 
 
@@ -107,6 +134,10 @@ def dicom_inspect(
     summary: Annotated[bool, typer.Option(help="Show only summary information")] = False,
 ) -> None:  # pylint: disable=W0613
     """Inspect DICOM files at any hierarchy level."""
+    if not _check_highdicom_available():
+        _print_highdicom_unsupported_error()
+        return
+
     from ._pydicom_handler import PydicomHandler  # noqa: PLC0415
 
     try:
@@ -139,6 +170,10 @@ def dicom_geojson_import(
     geojson_path: Annotated[Path, typer.Argument(help="Path to the GeoJSON file", exists=True)],
 ) -> None:  # pylint: disable=W0613
     """Import GeoJSON annotations into DICOM ANN instance."""
+    if not _check_highdicom_available():
+        _print_highdicom_unsupported_error()
+        return
+
     from ._pydicom_handler import PydicomHandler  # noqa: PLC0415
 
     try:

tests/aignostics/cli_test.py

@@ -213,6 +213,12 @@ def mock_app_mount(path, app_instance):
                 "show_welcome_message parameter should be True when native is False"
             )
             assert mock_ui_run_args["show"] is True, "show parameter should be True when native is False"
+        elif platform.system() == "Windows" and platform.python_version_tuple() >= ("3", "14"):
+            assert mock_ui_run_args["native"] is False, "native parameter should be False on Windows"
+            assert mock_ui_run_args["show_welcome_message"] is True, (
+                "show_welcome_message parameter should be True when native is False"
+            )
+            assert mock_ui_run_args["show"] is True, "show parameter should be True when native is False"
         else:
             assert mock_ui_run_args["native"] is True, "native parameter should be True on platforms other than Linux"
             assert mock_ui_run_args["show_welcome_message"] is False, (

tests/aignostics/wsi/cli_test.py

@@ -15,6 +15,12 @@
 THUMBNAIL_UID = "1.3.6.1.4.1.5962.99.1.1038911754.1238045814.1637421484298.15.0"
 SMALL_PYRAMIDAL_STUDY_UID = "Study: 2.25.150973379448125660359643882019624926008"
 
+# Skip tests requiring highdicom on Python 3.14+ (highdicom not yet supported)
+SKIP_HIGHDICOM_PYTHON_314 = pytest.mark.skipif(
+    sys.version_info[:2] >= (3, 14),
+    reason="highdicom is not available on Python 3.14+",
+)
+
 
 @pytest.mark.integration
 @pytest.mark.timeout(timeout=60 * 5)
@@ -36,6 +42,7 @@ def test_inspect_openslide_dicom(runner: CliRunner, record_property) -> None:
     )
 
 
+@SKIP_HIGHDICOM_PYTHON_314
 @pytest.mark.skipif(
     sys.platform == "win32" and platform.machine().lower() in {"arm64", "aarch64"} and sys.version_info[:2] == (3, 12),
     reason="Skipping on Windows ARM with Python 3.12.x",
@@ -57,6 +64,7 @@ def test_inspect_pydicom_directory_non_verbose(runner: CliRunner, record_propert
     )
 
 
+@SKIP_HIGHDICOM_PYTHON_314
 @pytest.mark.skipif(
     platform.system() == "Windows"
     and platform.machine().lower() in {"arm64", "aarch64"}
@@ -84,6 +92,7 @@ def test_inspect_pydicom_directory_verbose(runner: CliRunner, record_property) -
     )
 
 
+@SKIP_HIGHDICOM_PYTHON_314
 @pytest.mark.skipif(
     platform.system() == "Windows"
     and platform.machine().lower() in {"arm64", "aarch64"}
@@ -101,6 +110,7 @@ def test_inspect_pydicom_single_file_non_verbose(runner: CliRunner, record_prope
     assert SMALL_PYRAMIDAL_STUDY_UID in result.output
 
 
+@SKIP_HIGHDICOM_PYTHON_314
 @pytest.mark.skipif(
     platform.system() == "Windows"
     and platform.machine().lower() in {"arm64", "aarch64"}
@@ -125,6 +135,7 @@ def test_inspect_pydicom_single_file_verbose(runner: CliRunner, record_property)
     )
 
 
+@SKIP_HIGHDICOM_PYTHON_314
 @pytest.mark.skipif(
     platform.system() == "Windows"
     and platform.machine().lower() in {"arm64", "aarch64"}
@@ -165,6 +176,7 @@ def test_wsi_inspect_error_handling(runner: CliRunner, record_property) -> None:
         assert str(file_path) in normalize_output(result.output)
 
 
+@SKIP_HIGHDICOM_PYTHON_314
 @pytest.mark.integration
 @pytest.mark.timeout(timeout=60 * 5)
 def test_wsi_dicom_inspect_error_handling(runner: CliRunner, record_property) -> None:
@@ -184,6 +196,7 @@ def test_wsi_dicom_inspect_error_handling(runner: CliRunner, record_property) ->
         assert "Invalid DICOM structure" in normalize_output(result.output)
 
 
+@SKIP_HIGHDICOM_PYTHON_314
 @pytest.mark.integration
 @pytest.mark.timeout(timeout=60 * 5)
 def test_wsi_dicom_geojson_import_error_handling(runner: CliRunner, record_property) -> None: