From 19b2565a730b31325bddb3e25697e00a13f1389a Mon Sep 17 00:00:00 2001
From: sangnn <nnsang1510@gmail.com>
Date: Tue, 23 Jun 2026 07:14:25 +0000
Subject: [PATCH] security: upgrade some package versions

---
 .trivyignore | 47 -----------------------------------------------
 1 file changed, 47 deletions(-)
 delete mode 100644 .trivyignore

diff --git a/.trivyignore b/.trivyignore
deleted file mode 100644
index 16863bd..0000000
--- a/.trivyignore
+++ /dev/null
@@ -1,47 +0,0 @@
-# Accepted vulnerabilities — reviewed, justified, and tracked.
-# Format: one CVE/GHSA ID per line. Re-evaluate each at the review date below.
-#
-# ---------------------------------------------------------------------------
-# cryptography is pinned to 43.0.3 because sshkey-tools 0.11.3 (SSH CA cert
-# signing) requires cryptography <44. The two findings below are only fixed in
-# cryptography >=44/48, which we cannot adopt until sshkey-tools relaxes its pin.
-#
-# Reviewed: 2026-06-23  |  Next review: 2026-09-23
-# Action to remove: bump sshkey-tools to a release allowing cryptography>=48,
-#                   then set cryptography>=48.0.1 and delete these lines.
-# ---------------------------------------------------------------------------
-
-# SECT (binary-field) curve subgroup attack. Not reachable: Gatehouse uses only
-# RSA / NIST P-256 / Ed25519 (JWT, x509, SSH CA). No SECT curves anywhere.
-CVE-2026-26007
-
-# Vulnerable OpenSSL statically bundled in the cryptography manylinux wheel.
-# Blocked by the same sshkey-tools <44 cap. Tracked for removal at next review.
-GHSA-537c-gmf6-5ccf
-
-# ---------------------------------------------------------------------------
-# Unfixable base-image OS packages (Debian slim). All are status "affected" or
-# "fix_deferred" with NO fixed version available upstream — apt cannot patch
-# them. They are deep base packages we cannot remove without breaking the image
-# (perl/dpkg tooling, ncurses for terminal libs, sqlite via Python stdlib).
-# None are reachable from the app's input paths (no Archive::Tar on untrusted
-# input, no curl, sqlite3 stdlib unused with untrusted DB files).
-#
-# Reviewed: 2026-06-23  |  Next review: 2026-09-23
-# Strategic fix: migrate to a distroless / Chainguard Python base, which drops
-# perl, ncurses tooling and sqlite entirely. Revisit then.
-# ---------------------------------------------------------------------------
-
-# perl-base (Archive::Tar / IO-Compress) — no fix available
-CVE-2026-42496
-CVE-2026-42497
-CVE-2026-48962
-CVE-2026-9538
-CVE-2026-8376
-
-# ncurses (libtinfo6 / libncursesw6 / ncurses-base / ncurses-bin) — no fix
-CVE-2025-69720
-
-# libsqlite3-0 — no fix
-CVE-2026-11822
-CVE-2026-11824