From f54dc0d342d0bd1baef9feeaed0d54f430081366 Mon Sep 17 00:00:00 2001 From: kitos Date: Fri, 12 Jun 2026 13:02:14 +0200 Subject: [PATCH] fix(deps): pin minimum safe versions in requirements.txt to fix Snyk dashboard alerts Snyk platform was resolving unpinned deps to old vulnerable versions. All minimum versions match current production installs (from requirements-lock.txt). Key security fixes reflected: - PyJWT>=2.13.0 (fixes CWE-287 Improper Authentication, CWE-326, CWE-347) - python-multipart>=0.0.32 (fixes CWE-22 Directory Traversal, CWE-770) - fastapi>=0.136.3 (fixes CWE-1333 ReDoS) - requests>=2.34.2 (fixes CWE-201, CWE-377, CWE-670) - lxml>=6.1.1 (fixes CWE-611 XXE Injection) --- backend/requirements.txt | 49 ++++++++++++++++++++-------------------- 1 file changed, 25 insertions(+), 24 deletions(-) diff --git a/backend/requirements.txt b/backend/requirements.txt index b975e74..a7fd8ba 100644 --- a/backend/requirements.txt +++ b/backend/requirements.txt @@ -1,30 +1,31 @@ -fastapi -uvicorn[standard] -sqlalchemy -psycopg2-binary -alembic -PyJWT -passlib[bcrypt] +fastapi>=0.136.3 +uvicorn[standard]>=0.49.0 +sqlalchemy>=2.0.50 +psycopg2-binary>=2.9.12 +alembic>=1.18.4 +PyJWT>=2.13.0 +passlib[bcrypt]>=1.7.4 bcrypt==4.0.1 -boto3 -apscheduler -requests -pyyaml -toml -taxii2-client -python-multipart -pydantic-settings -slowapi -defusedxml -redis>=5.0.0 -atlassian-python-api>=4.0.0 -tempo-api-python-client>=0.8.0 -weasyprint>=62.0 -docxtpl>=0.18.0 -python3-saml>=1.15.0 +boto3>=1.43.0 +apscheduler>=3.11.0 +requests>=2.34.2 +pyyaml>=6.0.3 +toml>=0.10.2 +taxii2-client>=2.3.0 +python-multipart>=0.0.32 +pydantic-settings>=2.14.0 +slowapi>=0.1.9 +defusedxml>=0.7.1 +redis>=8.0.0 +atlassian-python-api>=4.0.7 +tempo-api-python-client>=0.12.0 +weasyprint>=69.0 +docxtpl>=0.20.2 +python3-saml>=1.16.0 +lxml>=6.1.1 # Testing pytest pytest-asyncio -httpx +httpx>=0.28.0 fakeredis>=2.23.0