Sulkta-OSS/cauldron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cauldron/requirements.txt
Kayos 7b0ef281af deps: bump Flask 3.0.3→3.1.3, requests 2.32.3→2.33.0, Authlib 1.3.2→1.6.11, cryptography 43.0.3→46.0.6 
CVE audit (memory/cauldron-cve/00-deps.md, 2026-05-02): 13 known CVEs
across these four packages in the deployed versions. Verified each
against cauldron's actual code path — most not directly exploitable in
current usage (no JWE decrypt, no key=None JWS, no EC crypto, no
.netrc, sessions in Flask not Authlib cache). The 9.1-CVSS Authlib
JWS bypass (CVE-2026-27962) requires a code path cauldron doesn't
take, but the library is 8+ versions stale and the bump is mandatory
before any public exposure.

Authlib jumps the most (1.3.2 → 1.6.11). High-level OAuth/OIDC API
is stable across this range — OAuth(app), register(...),
authorize_access_token(), userinfo() all unchanged. Smoke-test the
OIDC round-trip after deploy.
2026-05-02 13:32:11 -07:00

8 lines
141 B
Text
Raw Blame History

Flask==3.1.3
requests==2.33.0
gunicorn==23.0.0
Authlib==1.6.11
PyMySQL==1.1.1
cryptography==46.0.6
rapidfuzz==3.10.1
recipe-scrapers==15.6.0
Reference in a new issue View git blame Copy permalink