ENG-3032: Bump deepdiff to ==8.6.2

[erosselli]

Ticket ENG-3032

Description Of Changes

Bumps deepdiff from 8.6.1 to 8.6.2 to address CVE-2026-33155 (memory exhaustion DoS in pickle deserialization). Patch-level bump, no code changes needed.

Code Changes

• Bump deepdiff==8.6.1 → deepdiff==8.6.2 in pyproject.toml
• Regenerated uv.lock

Steps to Confirm

1. CI passes — deepdiff usage is unchanged (only DeepDiff for dict comparison)

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • No UX review needed
• Followup issues:
  • No followup issues
• Database migrations:
  • No migrations
• Documentation:
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Mar 20, 2026 6:13pm
fides-privacy-center	Ignored		Mar 20, 2026 6:13pm

[claude]

Code Review — deepdiff security bump

No issues found. This is a clean, minimal security patch.

Summary

• pyproject.toml: pins deepdiff to 8.6.2 (was 8.6.1) to address CVE-2026-33155.
• uv.lock: hashes updated correctly for both the sdist and wheel artifacts.
• changelog/7714-bump-deepdiff.yaml: changelog entry is present, correctly typed as Security, and references the CVE.

Observations

• The version constraint uses == (exact pin), consistent with the existing project convention for this dependency. No change needed.
• Lock file hashes match the PyPI upload timestamps (2026-03-18), confirming these correspond to the intended release.
• No source code changes — this is a pure dependency update, so no functional testing or architecture concerns apply.

LGTM.

[greptile-apps]

Greptile Summary

This is a minimal, targeted security patch that bumps deepdiff from 8.6.1 to 8.6.2 to address CVE-2026-33155 (memory exhaustion DoS via pickle deserialization). The uv.lock is correctly regenerated and a changelog entry has been added.

• pyproject.toml: version pin updated from ==8.6.1 → ==8.6.2
• uv.lock: hashes and URLs for the new wheel/sdist are correct and match PyPI
• changelog/7714-bump-deepdiff.yaml: properly typed as Security with the correct CVE reference
• Minor: the PR title/description says >=8.6.2 but the specifier in pyproject.toml is still ==8.6.2 — worth aligning for clarity

Confidence Score: 5/5

• Safe to merge — patch-level security bump with no API changes and a correctly regenerated lock file.
• The change is a one-line version bump in pyproject.toml with a corresponding lock file regeneration. The new version is a patch release that only addresses a security CVE; no breaking changes are expected. The only minor issue is a cosmetic mismatch between the PR title (>=8.6.2) and the actual pin (==8.6.2).
• No files require special attention.

Important Files Changed

Filename	Overview
pyproject.toml	Bumps deepdiff from ==8.6.1 to ==8.6.2 to patch CVE-2026-33155; note the PR title says >=8.6.2 but the pin remains exact (==).
uv.lock	Lock file correctly regenerated to reflect the new deepdiff 8.6.2 wheel and sdist with updated hashes and URLs.
changelog/7714-bump-deepdiff.yaml	New changelog entry correctly typed as Security and references the CVE and PR number.

_{Last reviewed commit: "Add changelog for PR..."}