From 6a99fbdd90cf0230dde2740a4b4ed4fc02892fe0 Mon Sep 17 00:00:00 2001 From: Chuck Date: Thu, 14 May 2026 10:13:36 -0400 Subject: [PATCH] fix(deps): bump minimum versions to address CVEs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pillow 10.4.0 → 12.2.0: CVE-2026-40192 (DoS via FITS decompression bomb), CVE-2026-25990 (OOB write via PSD image), CVE-2026-42311/42308/42310 requests 2.32.0 → 2.33.0: CVE-2026-25645 (temp file security bypass), CVE-2024-47081 (.netrc credentials leak) werkzeug 3.0.0 → 3.1.6: CVE-2023-46136, CVE-2024-49766/49767, CVE-2025-66221, CVE-2026-21860/27199 (DoS, path traversal, safe_join bypass) Flask 3.0.0 → 3.1.3: CVE-2026-27205 (session data caching info disclosure) spotipy 2.24.0 → 2.25.2: CVE-2025-27154, CVE-2025-66040 python-socketio 5.11.0 → 5.14.0: CVE-2025-61765 pytest 7.4.0 → 9.0.3: CVE-2025-71176 (insecure temp dir handling) Updated in requirements.txt, web_interface/requirements.txt, plugin-repos/starlark-apps/requirements.txt, and plugin-repos/march-madness/requirements.txt. Co-Authored-By: Claude Sonnet 4.6 --- plugin-repos/march-madness/requirements.txt | 2 +- plugin-repos/starlark-apps/requirements.txt | 4 ++-- requirements.txt | 12 ++++++------ web_interface/requirements.txt | 12 ++++++------ 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/plugin-repos/march-madness/requirements.txt b/plugin-repos/march-madness/requirements.txt index aa49c296..86eab2a3 100644 --- a/plugin-repos/march-madness/requirements.txt +++ b/plugin-repos/march-madness/requirements.txt @@ -1,4 +1,4 @@ -requests>=2.28.0 +requests>=2.33.0 Pillow>=12.2.0 pytz>=2022.1 numpy>=1.24.0 diff --git a/plugin-repos/starlark-apps/requirements.txt b/plugin-repos/starlark-apps/requirements.txt index 7c1dfc12..97cc9de6 100644 --- a/plugin-repos/starlark-apps/requirements.txt +++ b/plugin-repos/starlark-apps/requirements.txt @@ -1,3 +1,3 @@ -Pillow>=10.4.0 +Pillow>=12.2.0 PyYAML>=6.0.2 -requests>=2.32.0 +requests>=2.33.0 diff --git a/requirements.txt b/requirements.txt index defec383..d3d72d34 100644 --- a/requirements.txt +++ b/requirements.txt @@ -3,7 +3,7 @@ # Tested on Raspbian OS 12 (Bookworm) and 13 (Trixie) # Image processing -Pillow>=10.4.0,<12.0.0 +Pillow>=12.2.0,<13.0.0 numpy>=1.24.0 # For fast array operations in ScrollHelper (compatible with 2.x) # Timezone handling @@ -12,7 +12,7 @@ timezonefinder>=6.5.0,<7.0.0 # Updated for better performance and accuracy geopy>=2.4.1,<3.0.0 # HTTP requests -requests>=2.32.0,<3.0.0 +requests>=2.33.0,<3.0.0 # Google API integration google-auth-oauthlib>=1.2.0,<2.0.0 @@ -23,10 +23,10 @@ google-api-python-client>=2.147.0,<3.0.0 freetype-py>=2.5.1,<3.0.0 # Spotify integration -spotipy>=2.24.0,<3.0.0 +spotipy>=2.25.2,<3.0.0 # Flask web framework -Flask>=3.0.0,<4.0.0 +Flask>=3.1.3,<4.0.0 # Text processing unidecode>=1.3.8,<2.0.0 @@ -35,7 +35,7 @@ unidecode>=1.3.8,<2.0.0 icalevents>=0.1.27,<1.0.0 # WebSocket support -python-socketio>=5.11.0,<6.0.0 +python-socketio>=5.14.0,<6.0.0 python-engineio>=4.9.0,<5.0.0 websockets>=12.0,<14.0 websocket-client>=1.8.0,<2.0.0 @@ -44,7 +44,7 @@ websocket-client>=1.8.0,<2.0.0 jsonschema>=4.20.0,<5.0.0 # Testing dependencies -pytest>=7.4.0,<8.0.0 +pytest>=9.0.3,<10.0.0 pytest-cov>=4.1.0,<5.0.0 pytest-mock>=3.11.0,<4.0.0 mypy>=1.5.0,<2.0.0 diff --git a/web_interface/requirements.txt b/web_interface/requirements.txt index f0e380ef..dd4a4548 100644 --- a/web_interface/requirements.txt +++ b/web_interface/requirements.txt @@ -3,8 +3,8 @@ # Tested on Raspbian OS 12 (Bookworm) and 13 (Trixie) # Web framework -flask>=3.0.0,<4.0.0 -werkzeug>=3.0.0,<4.0.0 +flask>=3.1.3,<4.0.0 +werkzeug>=3.1.6,<4.0.0 flask-wtf>=1.2.0 # CSRF protection (optional for local-only, but recommended) flask-limiter>=3.5.0 # Rate limiting (prevent accidental abuse) @@ -13,13 +13,13 @@ flask-limiter>=3.5.0 # Rate limiting (prevent accidental abuse) # However, plugins may need websocket support to connect to external services # (e.g., music plugin connecting to YTM Companion server via Socket.IO) # These packages are required for plugin compatibility -python-socketio>=5.11.0,<6.0.0 +python-socketio>=5.14.0,<6.0.0 python-engineio>=4.9.0,<5.0.0 websockets>=12.0,<14.0 websocket-client>=1.8.0,<2.0.0 # Image processing -Pillow>=10.4.0,<12.0.0 +Pillow>=12.2.0,<13.0.0 # System monitoring psutil>=6.0.0,<7.0.0 @@ -32,7 +32,7 @@ freetype-py>=2.5.0,<3.0.0 numpy>=1.24.0 # HTTP requests -requests>=2.32.0,<3.0.0 +requests>=2.33.0,<3.0.0 # Date/time utilities python-dateutil>=2.9.0,<3.0.0 @@ -48,7 +48,7 @@ google-auth-httplib2>=0.2.0,<1.0.0 google-api-python-client>=2.147.0,<3.0.0 # Spotify integration (must match main requirements) -spotipy>=2.24.0,<3.0.0 +spotipy>=2.25.2,<3.0.0 # Text processing (must match main requirements) unidecode>=1.3.8,<2.0.0