chore(sdk,mcp): pin direct dependencies to exact versions

api/CHANGELOG.md

@@ -11,6 +11,10 @@ All notable changes to the **Prowler API** are documented in this file.
 - `VALKEY_SCHEME`, `VALKEY_USERNAME`, and `VALKEY_PASSWORD` environment variables to configure Celery broker TLS/auth connection details for Valkey/ElastiCache [(#10420)](https://github.com/prowler-cloud/prowler/pull/10420)
 - `Vercel` provider support [(#10190)](https://github.com/prowler-cloud/prowler/pull/10190)
 
+### 🔐 Security
+
+- Bump `authlib` from 1.6.6 to 1.6.9 to fix CVE-2026-28802 (JWT `alg: none` validation bypass) [(#10593)](https://github.com/prowler-cloud/prowler/pull/10593)
+
 ### 🔄 Changed
 
 - Attack Paths: Periodic cleanup of stale scans with dead-worker detection via Celery inspect, marking orphaned `EXECUTING` scans as `FAILED` and recovering `graph_data_ready` [(#10387)](https://github.com/prowler-cloud/prowler/pull/10387)

docs/developer-guide/introduction.mdx

@@ -163,6 +163,8 @@ These resources help ensure that AI-assisted contributions maintain consistency
 
 All dependencies are listed in the `pyproject.toml` file.
 
+The SDK keeps direct dependencies pinned to exact versions, while `poetry.lock` records the full resolved dependency tree and the artifact hashes for every package. Use `poetry install` from the lock file instead of ad-hoc `pip` installs when you need a reproducible environment.
+
 For proper code documentation, refer to the following and follow the code documentation practices presented there: [Google Python Style Guide - Comments and Docstrings](https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings).
 
 <Note>

mcp_server/CHANGELOG.md

@@ -8,6 +8,10 @@ All notable changes to the **Prowler MCP Server** are documented in this file.
 
 - Resource events tool to get timeline for a resource (who, what, when) [(#10412)](https://github.com/prowler-cloud/prowler/pull/10412)
 
+### 🔄 Changed
+
+- Pin `httpx` dependency to exact version for reproducible installs [(#10593)](https://github.com/prowler-cloud/prowler/pull/10593)
+
 ### 🔐 Security
 
 - `authlib` bumped from 1.6.5 to 1.6.9 to fix CVE-2026-28802 (JWT `alg: none` validation bypass) [(#10579)](https://github.com/prowler-cloud/prowler/pull/10579)

mcp_server/pyproject.toml

@@ -5,7 +5,7 @@ requires = ["setuptools>=61.0", "wheel"]
 [project]
 dependencies = [
   "fastmcp==2.14.0",
-  "httpx>=0.28.0"
+  "httpx==0.28.1"
 ]
 description = "MCP server for Prowler ecosystem"
 name = "prowler-mcp"

prowler/CHANGELOG.md

@@ -24,6 +24,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 - Added `internet-exposed` category to 13 AWS checks (CloudFront, CodeArtifact, EC2, EFS, RDS, SageMaker, Shield, VPC) [(#10502)](https://github.com/prowler-cloud/prowler/pull/10502)
 - Minimum Python version from 3.9 to 3.10 and updated classifiers to reflect supported versions (3.10, 3.11, 3.12) [(#10464)](https://github.com/prowler-cloud/prowler/pull/10464)
+- Pin direct SDK dependencies to exact versions and rely on `poetry.lock` artifact hashes for reproducible installs [(#10593)](https://github.com/prowler-cloud/prowler/pull/10593)
 
 ### 🐞 Fixed
 

pyproject.toml

@@ -49,11 +49,11 @@ dependencies = [
   "cryptography==46.0.6",
   "dash==3.1.1",
   "dash-bootstrap-components==2.0.3",
-  "defusedxml>=0.7.1",
+  "defusedxml==0.7.1",
   "detect-secrets==1.5.0",
   "dulwich==0.23.0",
   "google-api-python-client==2.163.0",
-  "google-auth-httplib2>=0.1,<0.3",
+  "google-auth-httplib2==0.2.0",
   "jsonschema==4.23.0",
   "kubernetes==32.0.1",
   "markdown==3.10.2",
@@ -63,9 +63,9 @@ dependencies = [
   "openstacksdk==4.2.0",
   "pandas==2.2.3",
   "py-ocsf-models==0.8.1",
-  "pydantic (>=2.0,<3.0)",
+  "pydantic==2.12.5",
   "pygithub==2.8.0",
-  "python-dateutil (>=2.9.0.post0,<3.0.0)",
+  "python-dateutil==2.9.0.post0",
   "pytz==2025.1",
   "schema==0.7.5",
   "shodan==1.31.0",