fix(security): patch cryptography CVEs, upgrade pip at build, harden /auth/upgrade
- requirements: cryptography >=46.0.7 (was pinned <46, which excluded the fix for the CVEs pip-audit flagged in our Fernet/crypto library). pip-audit now clean. - Dockerfile: upgrade pip before installing deps (patches installer-level CVEs). - auth: /auth/upgrade now defaults to the least-privileged read scope; only an explicit access=write requests the write scope.
This commit is contained in:
parent
4826a5811f
commit
18e345a4de
3 changed files with 6 additions and 5 deletions
|
|
@ -11,4 +11,4 @@ feedparser>=6.0,<7.0
|
|||
apscheduler>=3.10,<4.0
|
||||
py3langid>=0.3,<1.0
|
||||
itsdangerous>=2.1,<3.0
|
||||
cryptography>=42,<46
|
||||
cryptography>=46.0.7,<47
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue