rick/LEDMatrix
1
0
Fork 0
mirror of https://github.com/ChuckBuilds/LEDMatrix.git synced 2026-05-15 10:03:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(deps): bump minimum versions to address CVEs

Browse Source 
Pillow 10.4.0 → 12.2.0: CVE-2026-40192 (DoS via FITS decompression bomb),
CVE-2026-25990 (OOB write via PSD image), CVE-2026-42311/42308/42310

requests 2.32.0 → 2.33.0: CVE-2026-25645 (temp file security bypass),
CVE-2024-47081 (.netrc credentials leak)

werkzeug 3.0.0 → 3.1.6: CVE-2023-46136, CVE-2024-49766/49767,
CVE-2025-66221, CVE-2026-21860/27199 (DoS, path traversal, safe_join bypass)

Flask 3.0.0 → 3.1.3: CVE-2026-27205 (session data caching info disclosure)

spotipy 2.24.0 → 2.25.2: CVE-2025-27154, CVE-2025-66040

python-socketio 5.11.0 → 5.14.0: CVE-2025-61765

pytest 7.4.0 → 9.0.3: CVE-2025-71176 (insecure temp dir handling)

Updated in requirements.txt, web_interface/requirements.txt,
plugin-repos/starlark-apps/requirements.txt, and
plugin-repos/march-madness/requirements.txt.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Chuck
2026-05-14 10:13:36 -04:00
parent 1c4d5c5271
commit 6a99fbdd90
4 changed files with 15 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
web_interface/requirements.txt
View File

@@ -3,8 +3,8 @@
# Tested on Raspbian OS 12 (Bookworm) and 13 (Trixie)
# Web framework
flask>=3.0.0,<4.0.0
werkzeug>=3.0.0,<4.0.0
flask>=3.1.3,<4.0.0
werkzeug>=3.1.6,<4.0.0
flask-wtf>=1.2.0 # CSRF protection (optional for local-only, but recommended)
flask-limiter>=3.5.0 # Rate limiting (prevent accidental abuse)
@@ -13,13 +13,13 @@ flask-limiter>=3.5.0 # Rate limiting (prevent accidental abuse)
# However, plugins may need websocket support to connect to external services
# (e.g., music plugin connecting to YTM Companion server via Socket.IO)
# These packages are required for plugin compatibility
python-socketio>=5.11.0,<6.0.0
python-socketio>=5.14.0,<6.0.0
python-engineio>=4.9.0,<5.0.0
websockets>=12.0,<14.0
websocket-client>=1.8.0,<2.0.0
# Image processing
Pillow>=10.4.0,<12.0.0
Pillow>=12.2.0,<13.0.0
# System monitoring
psutil>=6.0.0,<7.0.0
@@ -32,7 +32,7 @@ freetype-py>=2.5.0,<3.0.0
numpy>=1.24.0
# HTTP requests
requests>=2.32.0,<3.0.0
requests>=2.33.0,<3.0.0
# Date/time utilities
python-dateutil>=2.9.0,<3.0.0
@@ -48,7 +48,7 @@ google-auth-httplib2>=0.2.0,<1.0.0
google-api-python-client>=2.147.0,<3.0.0
# Spotify integration (must match main requirements)
spotipy>=2.24.0,<3.0.0
spotipy>=2.25.2,<3.0.0
# Text processing (must match main requirements)
unidecode>=1.3.8,<2.0.0