httpx>=0.26.0
mcp[cli]==1.23.0
# Pulled in transitively by mcp; pin a patched floor for CVE-2026-48710 (BadHost
# Host-header auth bypass), vulnerable in starlette <= 1.0.0.
starlette>=1.0.1
python-dotenv>=1.1.0
requests>=2.32.3
Pillow>=10.0.0
pathlib>=1.0.1
python-dateutil>=2.8.2
