fix(security): patch cryptography CVEs, upgrade pip at build, harden /auth/upgrade

- requirements: cryptography >=46.0.7 (was pinned <46, which excluded the fix for
  the CVEs pip-audit flagged in our Fernet/crypto library). pip-audit now clean.
- Dockerfile: upgrade pip before installing deps (patches installer-level CVEs).
- auth: /auth/upgrade now defaults to the least-privileged read scope; only an
  explicit access=write requests the write scope.
This commit is contained in:
npeter83 2026-06-14 05:59:34 +02:00
parent 94a51b1b43
commit c12e776706
3 changed files with 6 additions and 5 deletions

View file

@ -11,4 +11,4 @@ feedparser>=6.0,<7.0
apscheduler>=3.10,<4.0
py3langid>=0.3,<1.0
itsdangerous>=2.1,<3.0
cryptography>=42,<46
cryptography>=46.0.7,<47