diff --git a/Dockerfile b/Dockerfile index 8749796..7d2e248 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ # --------------------------------------------------------------------------- # Stage 1: Install dependencies into a virtual environment # --------------------------------------------------------------------------- -FROM dhi.io/python:3.13-alpine3.23-dev@sha256:c13970a65d92df51053ffbc9fb2696b694078e0c8f3aa7e9de01e91d810c2de7 AS builder +FROM dhi.io/python:3.13-alpine3.23-dev@sha256:2932baee9e95d21b4baf7e898a632fa1bf1a8b6fb632d008c525fa456b3aeca2 AS builder WORKDIR /app @@ -30,7 +30,7 @@ RUN uv sync --no-dev --frozen # --------------------------------------------------------------------------- # Stage 2: Production runtime — DHI Python (non-root by default) # --------------------------------------------------------------------------- -FROM dhi.io/python:3.13-alpine3.23@sha256:904d8d2f5ccf6a2ebb63ca1c7a43aa0bafdeb03dae72f1174a82cc134bc530b0 +FROM dhi.io/python:3.13-alpine3.23@sha256:5b478d05c5b518d730a958352465e43eaa920416fa14468c5b59509713819062 WORKDIR /app diff --git a/pyproject.toml b/pyproject.toml index ae19c3f..dcd314e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -11,7 +11,7 @@ dependencies = [ "pydantic>=2.13.2", "pydantic-settings>=2.13.1", "python-dotenv>=1.2.2", # CVE-2026-28684 - transitive dep via pydantic-settings - "python-multipart>=0.0.26", # CVE-2026-40347 - transitive dep via fastapi + "python-multipart>=0.0.27", # GHSA-pp6c-gr5w-3c5g - transitive dep via fastapi and mcp "structlog>=25.5.0", ] @@ -28,6 +28,8 @@ security = [ "pip-audit>=2.10.0", "cyclonedx-bom>=7.3.0", "lxml>=6.1.0", # CVE-2026-41066 - transitive dep via cyclonedx-bom + "pip>=26.1", # GHSA-jp4c-xjxw-mgf9 - transitive dep via pip-audit->pip-api + "urllib3>=2.7.0", # GHSA-mf9v-mfxr-j63j, GHSA-qccp-gfcp-xxvc - transitive dep via pip-audit->cachecontrol->requests ] [build-system] diff --git a/uv.lock b/uv.lock index a8107af..8d9b1ee 100644 --- a/uv.lock +++ b/uv.lock @@ -688,7 +688,9 @@ security = [ { name = "bandit" }, { name = "cyclonedx-bom" }, { name = "lxml" }, + { name = "pip" }, { name = "pip-audit" }, + { name = "urllib3" }, ] [package.metadata] @@ -699,7 +701,7 @@ requires-dist = [ { name = "pydantic", specifier = ">=2.13.2" }, { name = "pydantic-settings", specifier = ">=2.13.1" }, { name = "python-dotenv", specifier = ">=1.2.2" }, - { name = "python-multipart", specifier = ">=0.0.26" }, + { name = "python-multipart", specifier = ">=0.0.27" }, { name = "structlog", specifier = ">=25.5.0" }, ] @@ -715,7 +717,9 @@ security = [ { name = "bandit", extras = ["toml"], specifier = ">=1.9.4" }, { name = "cyclonedx-bom", specifier = ">=7.3.0" }, { name = "lxml", specifier = ">=6.1.0" }, + { name = "pip", specifier = ">=26.1" }, { name = "pip-audit", specifier = ">=2.10.0" }, + { name = "urllib3", specifier = ">=2.7.0" }, ] [[package]] @@ -782,11 +786,11 @@ wheels = [ [[package]] name = "pip" -version = "26.0.1" +version = "26.1.1" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/48/83/0d7d4e9efe3344b8e2fe25d93be44f64b65364d3c8d7bc6dc90198d5422e/pip-26.0.1.tar.gz", hash = "sha256:c4037d8a277c89b320abe636d59f91e6d0922d08a05b60e85e53b296613346d8", size = 1812747, upload-time = "2026-02-05T02:20:18.702Z" } +sdist = { url = "https://files.pythonhosted.org/packages/b6/48/cb9b7a682f6fe01a4221e1728941dd4ac3cd9090a17db3779d6ff490b602/pip-26.1.1.tar.gz", hash = "sha256:d36762751d156a4ee895de8af39aa0abeeeb577f93a2eca6ab62467bbf0f8a78", size = 1840400, upload-time = "2026-05-04T19:02:21.248Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/de/f0/c81e05b613866b76d2d1066490adf1a3dbc4ee9d9c839961c3fc8a6997af/pip-26.0.1-py3-none-any.whl", hash = "sha256:bdb1b08f4274833d62c1aa29e20907365a2ceb950410df15fc9521bad440122b", size = 1787723, upload-time = "2026-02-05T02:20:16.416Z" }, + { url = "https://files.pythonhosted.org/packages/3a/eb/fea4d1d51c49832120f7f285d07306db3960f423a2612c6057caf3e8196f/pip-26.1.1-py3-none-any.whl", hash = "sha256:99cb1c2899893b075ff56e4ed0af55669a955b49ad7fb8d8603ecdaf4ed653fb", size = 1812777, upload-time = "2026-05-04T19:02:18.9Z" }, ] [[package]] @@ -1056,11 +1060,11 @@ wheels = [ [[package]] name = "python-multipart" -version = "0.0.26" +version = "0.0.28" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/88/71/b145a380824a960ebd60e1014256dbb7d2253f2316ff2d73dfd8928ec2c3/python_multipart-0.0.26.tar.gz", hash = "sha256:08fadc45918cd615e26846437f50c5d6d23304da32c341f289a617127b081f17", size = 43501, upload-time = "2026-04-10T14:09:59.473Z" } +sdist = { url = "https://files.pythonhosted.org/packages/82/54/a85eb421fbdd5007bc5af39d0f4ed9fa609e0fedbfdc2adcf0b34526870e/python_multipart-0.0.28.tar.gz", hash = "sha256:8550da197eac0f7ab748961fc9509b999fa2662ea25cef857f05249f6893c0f8", size = 45314, upload-time = "2026-05-10T11:05:16.596Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/9a/22/f1925cdda983ab66fc8ec6ec8014b959262747e58bdca26a4e3d1da29d56/python_multipart-0.0.26-py3-none-any.whl", hash = "sha256:c0b169f8c4484c13b0dcf2ef0ec3a4adb255c4b7d18d8e420477d2b1dd03f185", size = 28847, upload-time = "2026-04-10T14:09:58.131Z" }, + { url = "https://files.pythonhosted.org/packages/f3/a2/43bbc5860b5034e2af4ef99a0e04d726ff329c43e192ef3abaa8d7ecfce5/python_multipart-0.0.28-py3-none-any.whl", hash = "sha256:10faac07eb966c3f48dc415f9dee46c04cb10d58d30a35677db8027c825ed9b6", size = 29438, upload-time = "2026-05-10T11:05:15.052Z" }, ] [[package]] @@ -1444,11 +1448,11 @@ wheels = [ [[package]] name = "urllib3" -version = "2.6.3" +version = "2.7.0" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed", size = 435556, upload-time = "2026-01-07T16:24:43.925Z" } +sdist = { url = "https://files.pythonhosted.org/packages/53/0c/06f8b233b8fd13b9e5ee11424ef85419ba0d8ba0b3138bf360be2ff56953/urllib3-2.7.0.tar.gz", hash = "sha256:231e0ec3b63ceb14667c67be60f2f2c40a518cb38b03af60abc813da26505f4c", size = 433602, upload-time = "2026-05-07T16:13:18.596Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/39/08/aaaad47bc4e9dc8c725e68f9d04865dbcb2052843ff09c97b08904852d84/urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4", size = 131584, upload-time = "2026-01-07T16:24:42.685Z" }, + { url = "https://files.pythonhosted.org/packages/7f/3e/5db95bcf282c52709639744ca2a8b149baccf648e39c8cc87553df9eae0c/urllib3-2.7.0-py3-none-any.whl", hash = "sha256:9fb4c81ebbb1ce9531cce37674bbc6f1360472bc18ca9a553ede278ef7276897", size = 131087, upload-time = "2026-05-07T16:13:17.151Z" }, ] [[package]]