Home Explore Help
Sign In
yunoadmin
/
bambuddy
mirror of https://github.com/maziggy/bambuddy
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

chore(deps): pin urllib3>=2.7.0 to clear CVE-2026-44431 / CVE-2026-44432

  urllib3 2.6.3 was being pulled in transitively (none of our top-level
  deps require >=2.7.0 yet) and trips two recent CVEs. Direct pin in
  requirements.txt forces the resolver to install 2.7.0, which is the
  upstream-fixed release for both findings.
maziggy 1 week ago
parent
829fbc4dcf
commit
63a99841a9
2 changed files with 6 additions and 0 deletions
Unified View Show Diff Stats
  1. 0 0
      CHANGELOG.md
  2. 6 0
      requirements.txt

File diff suppressed because it is too large
+ 0 - 0
CHANGELOG.md


+ 6 - 0
requirements.txt
View File 

@@ -61,6 +61,12 @@ pyotp>=2.9.0
 
 # HTTP client (used for OIDC token exchange)
 
 # HTTP client (used for OIDC token exchange)
 
 httpx>=0.26.0
 
 httpx>=0.26.0
 
 
 
+# Transitive pin: urllib3 2.6.3 has CVE-2026-44431 and CVE-2026-44432;
 
+# 2.7.0+ is the fixed release. Direct pin here because none of our
 
+# top-level deps require >=2.7.0 yet, so without this the resolver
 
+# would silently keep installing the vulnerable 2.6.x line.
 
+urllib3>=2.7.0
 
+
 
 # Plate Detection (optional - enables build plate empty detection)
 
 # Plate Detection (optional - enables build plate empty detection)
 
 opencv-python-headless>=4.8.0
 
 opencv-python-headless>=4.8.0
 
 numpy>=1.24.0
 
 numpy>=1.24.0

Some files were not shown because too many files changed in this diff