e772877996
Update python-jose from 3.3.0 to 3.5.0 to fix: - CVE-2024-33663: Algorithm confusion with ECDSA keys (High) - CVE-2024-33664: JWT bomb DoS via high compression ratio (High) Remaining accepted risk: ecdsa CVE-2024-23342 (Minerva timing attack) - No fix available (maintainer considers side-channel attacks out of scope) - Non-exploitable in this app: JWTs use HMAC (HS256), not ECDSA signing All 189 tests pass. npm audit: 0 vulnerabilities. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
30 lines
449 B
Plaintext
30 lines
449 B
Plaintext
# FastAPI and server
|
|
fastapi==0.128.5
|
|
uvicorn[standard]==0.40.0
|
|
|
|
# Database
|
|
sqlalchemy==2.0.46
|
|
asyncpg==0.31.0
|
|
psycopg2-binary==2.9.9
|
|
alembic==1.18.3
|
|
|
|
# Authentication
|
|
python-jose[cryptography]==3.5.0
|
|
passlib[bcrypt]==1.7.4
|
|
bcrypt==4.1.2
|
|
python-multipart==0.0.22
|
|
|
|
# Validation and settings
|
|
pydantic==2.12.5
|
|
pydantic-settings==2.12.0
|
|
email-validator==2.1.0
|
|
|
|
# Rate Limiting
|
|
slowapi==0.1.9
|
|
|
|
# Payments
|
|
stripe==14.3.0
|
|
|
|
# Utilities
|
|
python-dotenv==1.0.1
|