coryHawkvelt/gatehouse-api
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

security: upgrade some package versions
Push -> develop / Build Docker images (push) Failing after 13s
Details
Push -> develop / Deploy (push) Has been skipped
Details
Push -> develop / Notify on result (push) Successful in 0s
Details

Browse Source
This commit is contained in:
sangnn
2026-06-23 03:20:58 +00:00
parent f971c4cdaa
commit ada22e6017
7 changed files with 36 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
requirements/base.txt
+8 -6
View File
@@ -1,6 +1,6 @@
# Core Flask
Flask==3.0.0
Werkzeug==3.0.1
Werkzeug==3.0.6 # CVE-2024-34069 (debug-server RCE); stays <3.1 for Flask 3.0 compat
# Database
SQLAlchemy==2.0.23
@@ -19,15 +19,17 @@ Flask-Bcrypt==1.0.1
pyotp==2.9.0
# WebAuthn / FIDO2
fido2==1.1.2
cbor2==5.6.0
# fido2 removed: unused in the codebase (WebAuthn is parsed directly via cbor2),
# and it pinned cryptography<44, blocking the CVE-2026-26007 fix. Re-add fido2>=2.2.0
# if migrating to the official library.
cbor2==5.9.0 # CVE-2024-26134, CVE-2026-26209 (DoS via recursion)
# JWT / OIDC
PyJWT==2.8.0
cryptography==42.0.7
PyJWT==2.13.0 # CVE-2026-48526 (auth bypass via forged JWT), CVE-2026-32597
cryptography==46.0.5 # CVE-2026-26007 (SECT subgroup attack)
# CORS
Flask-CORS==4.0.0
Flask-CORS==6.0.0 # CVE-2024-6221 (ACAO handling)
# Environment variables
python-dotenv==1.0.0
requirements/development.txt
+2 -2
View File
@@ -36,8 +36,8 @@ requests==2.31.0
pytz==2023.3
python-dotenv==1.0.0
pydantic==2.5.0
PyJWT==2.8.0
cryptography==42.0.7
PyJWT==2.13.0
cryptography==46.0.5
pycryptodome==3.20.0
psycopg2-binary==2.9.9
sshkey-tools==0.11.3
requirements/production.txt
+1 -1
View File
@@ -1,7 +1,7 @@
-r base.txt
# Production WSGI server
gunicorn==21.2.0
gunicorn==23.0.0 # CVE-2024-1135, CVE-2024-6827 (HTTP request smuggling)
# Monitoring & logging
sentry-sdk[flask]==1.39.1