requirements/base.txt

# Core Flask
Flask==3.0.0
Werkzeug==3.0.6  # CVE-2024-34069 (debug-server RCE); stays <3.1 for Flask 3.0 compat

# Database
SQLAlchemy==2.0.23
Flask-SQLAlchemy==3.1.1
Flask-Migrate==4.0.5
psycopg2-binary==2.9.9

# Validation & Serialization
marshmallow==3.20.1
Flask-Marshmallow==0.15.0
marshmallow-sqlalchemy==0.29.0

# Security
bcrypt==4.2.0
Flask-Bcrypt==1.0.1
pyotp==2.9.0

# WebAuthn / FIDO2
# fido2 removed: unused in the codebase (WebAuthn is parsed directly via cbor2),
# and it pinned cryptography<44, blocking the CVE-2026-26007 fix. Re-add fido2>=2.2.0
# if migrating to the official library.
cbor2==5.9.0  # CVE-2024-26134, CVE-2026-26209 (DoS via recursion)

# JWT / OIDC
PyJWT==2.13.0  # CVE-2026-48526 (auth bypass via forged JWT), CVE-2026-32597
cryptography==43.0.3  # capped <44 by sshkey-tools 0.11.3; see .trivyignore for CVE-2026-26007

# CORS
Flask-CORS==6.0.0  # CVE-2024-6221 (ACAO handling)

# Environment variables
python-dotenv==1.0.0

# UUID
shortuuid==1.0.11

# Date/Time
python-dateutil==2.8.2

# Redis (for sessions)
redis==5.0.1
Flask-Session==0.5.0

# Rate limiting
Flask-Limiter==3.5.0

# Logging
python-json-logger==2.0.7
qrcode[pil]

# HTTP requests
requests>=2.31.0

# SSH CA Certificate signing
sshkey-tools==0.11.3
inital 2026-01-08 01:00:26 +10:30			`# Core Flask`
			`Flask==3.0.0`
ci: add ansible and CICD deployment 2026-06-23 07:15:42 +00:00			`Werkzeug==3.0.6 # CVE-2024-34069 (debug-server RCE); stays <3.1 for Flask 3.0 compat`
inital 2026-01-08 01:00:26 +10:30
			`# Database`
			`SQLAlchemy==2.0.23`
			`Flask-SQLAlchemy==3.1.1`
			`Flask-Migrate==4.0.5`
			`psycopg2-binary==2.9.9`

			`# Validation & Serialization`
			`marshmallow==3.20.1`
			`Flask-Marshmallow==0.15.0`
			`marshmallow-sqlalchemy==0.29.0`

			`# Security`
Chore(Fix): Package dependency 2026-02-28 19:19:42 +05:45			`bcrypt==4.2.0`
inital 2026-01-08 01:00:26 +10:30			`Flask-Bcrypt==1.0.1`
feat(auth): implement TOTP two-factor authentication with enrollment and verification 2026-01-14 18:06:17 +10:30			`pyotp==2.9.0`
inital 2026-01-08 01:00:26 +10:30
move app to gatehouse-app 2026-01-15 03:40:29 +10:30			`# WebAuthn / FIDO2`
ci: add ansible and CICD deployment 2026-06-23 07:15:42 +00:00			`# fido2 removed: unused in the codebase (WebAuthn is parsed directly via cbor2),`
			`# and it pinned cryptography<44, blocking the CVE-2026-26007 fix. Re-add fido2>=2.2.0`
			`# if migrating to the official library.`
			`cbor2==5.9.0 # CVE-2024-26134, CVE-2026-26209 (DoS via recursion)`
move app to gatehouse-app 2026-01-15 03:40:29 +10:30
major checkpoint 2026-01-08 15:59:53 +10:30			`# JWT / OIDC`
ci: add ansible and CICD deployment 2026-06-23 07:15:42 +00:00			`PyJWT==2.13.0 # CVE-2026-48526 (auth bypass via forged JWT), CVE-2026-32597`
			`cryptography==43.0.3 # capped <44 by sshkey-tools 0.11.3; see .trivyignore for CVE-2026-26007`
major checkpoint 2026-01-08 15:59:53 +10:30
inital 2026-01-08 01:00:26 +10:30			`# CORS`
ci: add ansible and CICD deployment 2026-06-23 07:15:42 +00:00			`Flask-CORS==6.0.0 # CVE-2024-6221 (ACAO handling)`
inital 2026-01-08 01:00:26 +10:30
			`# Environment variables`
			`python-dotenv==1.0.0`

			`# UUID`
			`shortuuid==1.0.11`

			`# Date/Time`
			`python-dateutil==2.8.2`

			`# Redis (for sessions)`
			`redis==5.0.1`
			`Flask-Session==0.5.0`

			`# Rate limiting`
			`Flask-Limiter==3.5.0`

			`# Logging`
functional totp 2026-01-14 18:06:26 +10:30			`python-json-logger==2.0.7`
Feat: Added CA-merged with Securid-Principals, Depart, Client-CLI 2026-02-27 21:59:01 +05:45			`qrcode[pil]`

feat(docker): add Docker deployment configuration 2026-04-04 16:51:19 +10:30			`# HTTP requests`
			`requests>=2.31.0`

Feat: Added CA-merged with Securid-Principals, Depart, Client-CLI 2026-02-27 21:59:01 +05:45			`# SSH CA Certificate signing`
Chore(Fix): Package dependency 2026-02-28 19:19:42 +05:45			`sshkey-tools==0.11.3`