sangnn
59 lines
1.2 KiB
Plaintext
59 lines
1.2 KiB
Plaintext
# Core Flask
|
|
Flask==3.0.0
|
|
Werkzeug==3.0.6 # CVE-2024-34069 (debug-server RCE); stays <3.1 for Flask 3.0 compat
|
|
|
|
# Database
|
|
SQLAlchemy==2.0.23
|
|
Flask-SQLAlchemy==3.1.1
|
|
Flask-Migrate==4.0.5
|
|
psycopg2-binary==2.9.9
|
|
|
|
# Validation & Serialization
|
|
marshmallow==3.20.1
|
|
Flask-Marshmallow==0.15.0
|
|
marshmallow-sqlalchemy==0.29.0
|
|
|
|
# Security
|
|
bcrypt==4.2.0
|
|
Flask-Bcrypt==1.0.1
|
|
pyotp==2.9.0
|
|
|
|
# WebAuthn / FIDO2
|
|
# fido2 removed: unused in the codebase (WebAuthn is parsed directly via cbor2),
|
|
# and it pinned cryptography<44, blocking the CVE-2026-26007 fix. Re-add fido2>=2.2.0
|
|
# if migrating to the official library.
|
|
cbor2==5.9.0 # CVE-2024-26134, CVE-2026-26209 (DoS via recursion)
|
|
|
|
# JWT / OIDC
|
|
PyJWT==2.13.0 # CVE-2026-48526 (auth bypass via forged JWT), CVE-2026-32597
|
|
cryptography==43.0.3 # capped <44 by sshkey-tools 0.11.3; see .trivyignore for CVE-2026-26007
|
|
|
|
# CORS
|
|
Flask-CORS==6.0.0 # CVE-2024-6221 (ACAO handling)
|
|
|
|
# Environment variables
|
|
python-dotenv==1.0.0
|
|
|
|
# UUID
|
|
shortuuid==1.0.11
|
|
|
|
# Date/Time
|
|
python-dateutil==2.8.2
|
|
|
|
# Redis (for sessions)
|
|
redis==5.0.1
|
|
Flask-Session==0.5.0
|
|
|
|
# Rate limiting
|
|
Flask-Limiter==3.5.0
|
|
|
|
# Logging
|
|
python-json-logger==2.0.7
|
|
qrcode[pil]
|
|
|
|
# HTTP requests
|
|
requests>=2.31.0
|
|
|
|
# SSH CA Certificate signing
|
|
sshkey-tools==0.11.3
|