fix(security): patch cryptography CVEs, upgrade pip at build, harden /auth/upgrade
- requirements: cryptography >=46.0.7 (was pinned <46, which excluded the fix for the CVEs pip-audit flagged in our Fernet/crypto library). pip-audit now clean. - Dockerfile: upgrade pip before installing deps (patches installer-level CVEs). - auth: /auth/upgrade now defaults to the least-privileged read scope; only an explicit access=write requests the write scope.
This commit is contained in:
parent
4826a5811f
commit
18e345a4de
3 changed files with 6 additions and 5 deletions
|
|
@ -16,7 +16,7 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
|
|||
WORKDIR /app
|
||||
|
||||
COPY backend/requirements.txt .
|
||||
RUN pip install -r requirements.txt
|
||||
RUN pip install --upgrade pip && pip install -r requirements.txt
|
||||
|
||||
COPY backend/ .
|
||||
COPY --from=frontend /fe/dist ./app/static_spa
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue