# Core Flask
Flask==3.0.0
Werkzeug==3.0.6  # CVE-2024-34069 (debug-server RCE); stays <3.1 for Flask 3.0 compat

# Database
SQLAlchemy==2.0.23
Flask-SQLAlchemy==3.1.1
Flask-Migrate==4.0.5
psycopg2-binary==2.9.9

# Validation & Serialization
marshmallow==3.20.1
Flask-Marshmallow==0.15.0
marshmallow-sqlalchemy==0.29.0

# Security
bcrypt==4.2.0
Flask-Bcrypt==1.0.1
pyotp==2.9.0

# WebAuthn / FIDO2
# fido2 removed: unused in the codebase (WebAuthn is parsed directly via cbor2),
# and it pinned cryptography<44, blocking the CVE-2026-26007 fix. Re-add fido2>=2.2.0
# if migrating to the official library.
cbor2==5.9.0  # CVE-2024-26134, CVE-2026-26209 (DoS via recursion)

# JWT / OIDC
PyJWT==2.13.0  # CVE-2026-48526 (auth bypass via forged JWT), CVE-2026-32597
cryptography==43.0.3  # capped <44 by sshkey-tools 0.11.3; see .trivyignore for CVE-2026-26007

# CORS
Flask-CORS==6.0.0  # CVE-2024-6221 (ACAO handling)

# Environment variables
python-dotenv==1.0.0

# UUID
shortuuid==1.0.11

# Date/Time
python-dateutil==2.8.2

# Redis (for sessions)
redis==5.0.1
Flask-Session==0.5.0

# Rate limiting
Flask-Limiter==3.5.0

# Logging
python-json-logger==2.0.7
qrcode[pil]

# HTTP requests
requests>=2.31.0

# SSH CA Certificate signing
sshkey-tools==0.11.3