fix(security): patch cryptography CVEs, upgrade pip at build, harden /auth/upgrade

- requirements: cryptography >=46.0.7 (was pinned <46, which excluded the fix for
  the CVEs pip-audit flagged in our Fernet/crypto library). pip-audit now clean.
- Dockerfile: upgrade pip before installing deps (patches installer-level CVEs).
- auth: /auth/upgrade now defaults to the least-privileged read scope; only an
  explicit access=write requests the write scope.
This commit is contained in:
npeter83 2026-06-14 05:59:34 +02:00
parent 94a51b1b43
commit c12e776706
3 changed files with 6 additions and 5 deletions

View file

@ -16,7 +16,7 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
WORKDIR /app
COPY backend/requirements.txt .
RUN pip install -r requirements.txt
RUN pip install --upgrade pip && pip install -r requirements.txt
COPY backend/ .
COPY --from=frontend /fe/dist ./app/static_spa