fix(deps): pin minimum safe versions in requirements.txt to fix Snyk dashboard alerts

Snyk platform was resolving unpinned deps to old vulnerable versions. All minimum versions match current production installs (from requirements-lock.txt). Key security fixes reflected: - PyJWT>=2.13.0 (fixes CWE-287 Improper Authentication, CWE-326, CWE-347) - python-multipart>=0.0.32 (fixes CWE-22 Directory Traversal, CWE-770) - fastapi>=0.136.3 (fixes CWE-1333 ReDoS) - requests>=2.34.2 (fixes CWE-201, CWE-377, CWE-670) - lxml>=6.1.1 (fixes CWE-611 XXE Injection)
2026-06-12 13:02:14 +02:00
parent acc9092baa
commit f54dc0d342
1 changed files with 25 additions and 24 deletions
@@ -1,30 +1,31 @@
-fastapi
-uvicorn[standard]
-sqlalchemy
-psycopg2-binary
-alembic
-PyJWT
-passlib[bcrypt]
+fastapi>=0.136.3
+uvicorn[standard]>=0.49.0
+sqlalchemy>=2.0.50
+psycopg2-binary>=2.9.12
+alembic>=1.18.4
+PyJWT>=2.13.0
+passlib[bcrypt]>=1.7.4
 bcrypt==4.0.1
-boto3
-apscheduler
-requests
-pyyaml
-toml
-taxii2-client
-python-multipart
-pydantic-settings
-slowapi
-defusedxml
-redis>=5.0.0
-atlassian-python-api>=4.0.0
-tempo-api-python-client>=0.8.0
-weasyprint>=62.0
-docxtpl>=0.18.0
-python3-saml>=1.15.0
+boto3>=1.43.0
+apscheduler>=3.11.0
+requests>=2.34.2
+pyyaml>=6.0.3
+toml>=0.10.2
+taxii2-client>=2.3.0
+python-multipart>=0.0.32
+pydantic-settings>=2.14.0
+slowapi>=0.1.9
+defusedxml>=0.7.1
+redis>=8.0.0
+atlassian-python-api>=4.0.7
+tempo-api-python-client>=0.12.0
+weasyprint>=69.0
+docxtpl>=0.20.2
+python3-saml>=1.16.0
+lxml>=6.1.1

 # Testing
 pytest
 pytest-asyncio
-httpx
+httpx>=0.28.0
 fakeredis>=2.23.0