fix(deps): update dependency python to v3.14.5

[renovate]

This PR contains the following updates:

Package	Update	Change
python (source)	patch	3.14.4 → 3.14.5

---

Release Notes

python/cpython (python)

v3.14.5

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Python 3.14.5 (Released: May 10, 2026)

This is a maintenance patch release containing approximately 154 bugfixes, build improvements, and documentation changes since 3.14.4.

Major Changes:

• Garbage Collector Reversion: The most significant change is the reversion of the incremental GC (introduced in 3.14.0-3.14.4) back to the generational collector from Python 3.13 due to "significant memory pressure in production environments." This is a positive stability change that improves memory behavior.
• Tcl/Tk Update: macOS installer upgraded from Tcl/Tk 8.6.17 to 9.0.3 (not relevant for this Linux-based sandbox).
• OpenSSL Updates: All platforms (including Linux) updated to OpenSSL 3.5.6 from previous versions.

Security Fixes:

1. CVE-2026-45186: Updated bundled libexpat to version 2.8.1
2. CVE-2021-4189: ftplib.ftpcp() no longer trusts IPv4 addresses from PASV responses by default
3. tarfile.data_filter(): Path-traversal vulnerability fixes for link validation

Important Bug Fixes:

• Fixed use-after-free crash with unicodedata module
• Fixed multiple race conditions in free-threading mode (_PyBytes_FromList, memoryview, ssl.SSLContext.sni_callback, etc.)
• Fixed concurrent modification issues in pickle and json modules
• Fixed zipfile to preserve non-UTF-8 encoded filenames
• Upgraded bundled pip to 26.1.1

Breaking Changes:

• ✅ No documented breaking changes between 3.14.4 and 3.14.5
• All changes are backward-compatible bug fixes and security patches

🎯 Impact Scope Investigation

Python Usage in Codebase:

• Runtime Configuration: Python is defined as a runtime in internal/sandbox/runtime.go:148,298-343
• Docker Build: Python 3.14.5 is installed via mise in the Docker image (Dockerfile:66-69)
• Development Environment: Python version specified in mise.toml:10
• Execution Path: Python scripts execute via /mise/installs/python/current/bin/python3 with isolated namespace and resource limits

Python Runtime Implementation:

• Uses standard CPython interpreter with no custom patches
• No Python version-specific API calls or dependencies in the Go codebase
• Runtime limits: 1024 MiB AS, 64 MiB Fsize, 256 MiB physical memory (cgroup)
• Bind mounts only the Python installation directory (read-only)
• No restricted files or dependency management (unlike Node.js/Ruby runtimes)

E2E Test Coverage:

• Comprehensive test suite exists: e2e/tests/runtime/python.yml (14 test cases)
• Tests cover: stdout/stderr, exit codes, multi-file imports, JSON parsing, exceptions, stdin handling
• Additional stdin test: e2e/tests/runtime/python_stdin.yml

Dependency Impact:

• ✅ No Go package dependencies on Python
• ✅ No configuration files tied to specific Python versions
• ✅ No Python packages pre-installed (unlike Node.js with npm packages or Ruby with gems)
• ✅ The sandbox executes arbitrary user-provided Python code without dependency management

Compatibility Analysis:

• The GC reversion improves stability and reduces memory pressure (benefits sandbox workloads)
• Security fixes (libexpat, ftplib, tarfile) harden the runtime without breaking compatibility
• Bug fixes for race conditions improve reliability in concurrent execution scenarios
• No Python language syntax or API changes between 3.14.4 and 3.14.5

💡 Recommended Actions

Immediate Actions:

1. ✅ Safe to merge immediately - This is a backward-compatible maintenance release with no breaking changes
2. ✅ Run existing E2E test suite to verify Python runtime functionality (recommended but low risk)
3. ✅ Monitor the deployment for improved memory behavior due to GC reversion

Post-Merge Validation:

• Execute go test -tags e2e ./e2e/... -run Python to verify all Python tests pass
• Verify Docker build completes successfully with the new version
• Confirm sandbox resource limits remain effective under the reverted GC

No Code Changes Required:

• ✅ No application code modifications needed
• ✅ No configuration file updates required
• ✅ No test updates necessary

🔗 Reference Links

• Python 3.14.5 Official Release Page
• Python 3.14 Changelog
• Python 3.14.4 → 3.14.5 Comparison
• CVE-2026-45186 (libexpat vulnerability)
• CVE-2021-4189 (ftplib security fix)

Generated by koki-develop/claude-renovate-review