From c1d115a6db5fc03e5bf73a9858971119916169f1 Mon Sep 17 00:00:00 2001 From: Jochen Mattes Date: Tue, 31 Mar 2026 11:21:10 +0200 Subject: [PATCH 1/2] chore: update dependencies to latest versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updated 8 packages in requirements.txt: - aiohttp 3.13.3 → 3.13.4 - certifi 2026.1.4 → 2026.2.25 - cryptography 46.0.5 → 46.0.6 - pint 0.25.2 → 0.25.3 - pydantic-extra-types 2.11.0 → 2.11.1 - pydantic-settings 2.12.0 → 2.13.1 - python-dotenv 1.2.1 → 1.2.2 - typer 0.21.1 → 0.24.1 --- requirements.txt | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/requirements.txt b/requirements.txt index 66f6563..123cb3f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,15 +4,15 @@ # This file is used in CI/CD pipelines and local development to ensure consistent test environments. # Update these versions periodically after running the full test suite to verify compatibility. -aiohttp==3.13.3 -certifi==2026.1.4 -cryptography==46.0.5 +aiohttp==3.13.4 +certifi==2026.2.25 +cryptography==46.0.6 packaging==26.0 -pint==0.25.2; python_version > "3.10" +pint==0.25.3; python_version > "3.10" pint==0.24.4; python_version <= "3.10" -pydantic-extra-types==2.11.0 +pydantic-extra-types==2.11.1 pydantic==2.12.5 -pydantic-settings==2.12.0 -python-dotenv==1.2.1 -typer==0.21.1 +pydantic-settings==2.13.1 +python-dotenv==1.2.2 +typer==0.24.1 websockets==16.0 From 921c02941b1433e3be9afd2c6d6845a9da63165e Mon Sep 17 00:00:00 2001 From: Jochen Mattes Date: Tue, 31 Mar 2026 11:30:45 +0200 Subject: [PATCH 2/2] chore: bump pyproject.toml lower bounds for security vulnerabilities MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - aiohttp: >=3.10.11 → >=3.13.3 (fixes CVE-2025-69223, CVE-2025-69227, CVE-2025-69228, CVE-2025-69229) - cryptography: >=44.0.0 → >=46.0.5 (fixes CVE-2026-26007) --- pyproject.toml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 5afe00b..ed586ba 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -35,17 +35,19 @@ classifiers = [ ] requires-python = ">=3.10" dependencies = [ - # aiohttp: Minimum 3.10.11 includes security fixes for CVE-2024-23334 and CVE-2024-23829 + # aiohttp: Minimum 3.13.3 includes security fixes for CVE-2025-69223 (zip bomb DoS), + # CVE-2025-69227 (infinite loop DoS), CVE-2025-69228 (memory exhaustion), CVE-2025-69229 (blocking CPU DoS) # No upper bound - follows SemVer, backward compatible within major version - "aiohttp>=3.10.11", + "aiohttp>=3.13.3", # certifi: Minimum 2024.12.14 includes latest CA certificate bundle for secure TLS connections # No upper bound - certificate bundle updates are backward compatible "certifi>=2024.12.14", - # cryptography: Minimum 44.0.0 includes critical security fixes for CVE-2024-26130 + # cryptography: Minimum 46.0.5 includes fix for CVE-2026-26007 (elliptic curve subgroup validation) + # and earlier fixes for CVE-2024-26130 (NULL pointer dereference with pkcs12) # No upper bound - follows SemVer, removing restrictive constraint to prevent dependency conflicts - "cryptography>=44.0.0", + "cryptography>=46.0.5", # packaging: Minimum 24.2 provides required version parsing functionality # No upper bound - stable API, backward compatible