deps: bump Flask 3.0.3→3.1.3, requests 2.32.3→2.33.0, Authlib 1.3.2→1.6.11, cryptography 43.0.3→46.0.6
CVE audit (memory/cauldron-cve/00-deps.md, 2026-05-02): 13 known CVEs across these four packages in the deployed versions. Verified each against cauldron's actual code path — most not directly exploitable in current usage (no JWE decrypt, no key=None JWS, no EC crypto, no .netrc, sessions in Flask not Authlib cache). The 9.1-CVSS Authlib JWS bypass (CVE-2026-27962) requires a code path cauldron doesn't take, but the library is 8+ versions stale and the bump is mandatory before any public exposure. Authlib jumps the most (1.3.2 → 1.6.11). High-level OAuth/OIDC API is stable across this range — OAuth(app), register(...), authorize_access_token(), userinfo() all unchanged. Smoke-test the OIDC round-trip after deploy.
This commit is contained in:
parent
1c943ec2d8
commit
7b0ef281af
1 changed files with 4 additions and 4 deletions
|
|
@ -1,8 +1,8 @@
|
|||
Flask==3.0.3
|
||||
requests==2.32.3
|
||||
Flask==3.1.3
|
||||
requests==2.33.0
|
||||
gunicorn==23.0.0
|
||||
Authlib==1.3.2
|
||||
Authlib==1.6.11
|
||||
PyMySQL==1.1.1
|
||||
cryptography==43.0.3
|
||||
cryptography==46.0.6
|
||||
rapidfuzz==3.10.1
|
||||
recipe-scrapers==15.6.0
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue