From 7b0ef281af5d3e84b335f519b51f66d9805b2c16 Mon Sep 17 00:00:00 2001
From: Kayos <kayos@sulkta.com>
Date: Sat, 2 May 2026 13:32:11 -0700
Subject: [PATCH] =?UTF-8?q?deps:=20bump=20Flask=203.0.3=E2=86=923.1.3,=20r?=
 =?UTF-8?q?equests=202.32.3=E2=86=922.33.0,=20Authlib=201.3.2=E2=86=921.6.?=
 =?UTF-8?q?11,=20cryptography=2043.0.3=E2=86=9246.0.6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE audit (memory/cauldron-cve/00-deps.md, 2026-05-02): 13 known CVEs
across these four packages in the deployed versions. Verified each
against cauldron's actual code path — most not directly exploitable in
current usage (no JWE decrypt, no key=None JWS, no EC crypto, no
.netrc, sessions in Flask not Authlib cache). The 9.1-CVSS Authlib
JWS bypass (CVE-2026-27962) requires a code path cauldron doesn't
take, but the library is 8+ versions stale and the bump is mandatory
before any public exposure.

Authlib jumps the most (1.3.2 → 1.6.11). High-level OAuth/OIDC API
is stable across this range — OAuth(app), register(...),
authorize_access_token(), userinfo() all unchanged. Smoke-test the
OIDC round-trip after deploy.
---
 requirements.txt | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index 5463b47..096990c 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,8 +1,8 @@
-Flask==3.0.3
-requests==2.32.3
+Flask==3.1.3
+requests==2.33.0
 gunicorn==23.0.0
-Authlib==1.3.2
+Authlib==1.6.11
 PyMySQL==1.1.1
-cryptography==43.0.3
+cryptography==46.0.6
 rapidfuzz==3.10.1
 recipe-scrapers==15.6.0