From 6e78427d883eddc07ad556a301d31ec53427703b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Wirtel?= Date: Sat, 29 Nov 2025 11:35:34 +0100 Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F=20chore:=20add=20sens?= =?UTF-8?q?itive=20files=20to=20gitignore?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Ignore environment files (.envrc, development.env, production.env) - Ignore database dumps (*.dump, *.duckdb) - Ignore local settings (pythonie/pythonie/settings/pgdev.py) - Ignore MinIO data directory (mc/) - Ignore personal notes (TODO.md) --- .gitignore | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.gitignore b/.gitignore index 5fc52e7..d96d0d2 100644 --- a/.gitignore +++ b/.gitignore @@ -64,3 +64,20 @@ project.db # Virtualenv folders *venv/ +# Environment files with sensitive credentials +.envrc +development.env +production.env + +# Database dumps and local databases +*.dump +*.duckdb + +# Local settings +pythonie/pythonie/settings/pgdev.py + +# MinIO data directory +mc/ + +# Personal notes +TODO.md From b8bedaf139e30cd7c7f42f1ab24bdffdf6679c83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Wirtel?= Date: Tue, 23 Dec 2025 19:20:57 +0100 Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=94=92=20security:=20upgrade=20urllib?= =?UTF-8?q?3=20to=202.6.2=20to=20fix=20CVE-2025-66471?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Upgrade urllib3 from 2.5.0 to 2.6.2 to address CVE-2025-66471 (GHSA-2xpw-w6gg-jr37), a high-severity vulnerability related to improper handling of highly compressed data in the streaming API. This vulnerability could lead to excessive CPU and memory consumption when processing highly compressed responses from untrusted sources, potentially causing denial of service. Fixes: #120 Severity: High (CVSS v4: 8.9) CWE-409: Improper Handling of Highly Compressed Data --- requirements/dev.txt | 56 +++++++++++++++++++------------------ requirements/main.txt | 50 ++++++++++++++++----------------- requirements/production.txt | 4 +++ 3 files changed, 58 insertions(+), 52 deletions(-) diff --git a/requirements/dev.txt b/requirements/dev.txt index 0073b87..5209d41 100644 --- a/requirements/dev.txt +++ b/requirements/dev.txt @@ -2,51 +2,49 @@ # uv pip compile --output-file requirements/dev.txt requirements/dev.in asgiref==3.11.0 # via - # -c main.txt + # -c requirements/main.txt # django boolean-py==5.0 # via license-expression -cachecontrol[filecache]==0.14.4 - # via - # cachecontrol - # pip-audit +cachecontrol==0.14.4 + # via pip-audit certifi==2025.11.12 # via - # -c main.txt + # -c requirements/main.txt # requests charset-normalizer==3.4.4 # via - # -c main.txt + # -c requirements/main.txt # requests coverage==7.12.0 - # via -r dev.in + # via -r requirements/dev.in cyclonedx-python-lib==9.1.0 # via pip-audit defusedxml==0.7.1 # via - # -c main.txt + # -c requirements/main.txt # py-serializable django==5.2.9 # via - # -c main.txt + # -c requirements/main.txt # django-debug-toolbar # model-mommy django-debug-toolbar==6.1.0 - # via -r dev.in + # via -r requirements/dev.in factory-boy==3.3.3 - # via -r dev.in + # via -r requirements/dev.in faker==39.0.0 # via factory-boy fakeredis==2.32.1 - # via -r dev.in + # via -r requirements/dev.in filelock==3.20.1 # via cachecontrol idna==3.11 # via - # -c main.txt + # -c requirements/main.txt # requests isort==7.0.0 - # via -r dev.in + # via -r requirements/dev.in license-expression==30.4.4 # via cyclonedx-python-lib markdown-it-py==4.0.0 @@ -54,25 +52,29 @@ markdown-it-py==4.0.0 mdurl==0.1.2 # via markdown-it-py model-mommy==2.0.0 - # via -r dev.in + # via -r requirements/dev.in msgpack==1.1.2 # via cachecontrol packageurl-python==0.17.6 # via cyclonedx-python-lib packaging==25.0 # via - # -c main.txt + # -c requirements/main.txt # pip-audit # pip-requirements-parser # pipdeptree +pip==25.3 + # via + # pip-api + # pipdeptree pip-api==0.0.34 # via pip-audit pip-audit==2.9.0 - # via -r dev.in + # via -r requirements/dev.in pip-requirements-parser==32.0.1 # via pip-audit pipdeptree==2.30.0 - # via -r dev.in + # via -r requirements/dev.in platformdirs==4.5.0 # via pip-audit py-serializable==2.1.0 @@ -83,35 +85,35 @@ pyparsing==3.2.5 # via pip-requirements-parser redis==7.1.0 # via - # -c main.txt + # -c requirements/main.txt # fakeredis requests==2.32.5 # via - # -c main.txt + # -c requirements/main.txt # cachecontrol # pip-audit rich==14.2.0 # via pip-audit ruff==0.14.7 - # via -r dev.in + # via -r requirements/dev.in sortedcontainers==2.4.0 # via # cyclonedx-python-lib # fakeredis sqlparse==0.5.4 # via - # -c main.txt + # -c requirements/main.txt # django # django-debug-toolbar toml==0.10.2 # via pip-audit tzdata==2025.2 # via - # -c main.txt + # -c requirements/main.txt # faker -urllib3==2.5.0 +urllib3==2.6.2 # via - # -c main.txt + # -c requirements/main.txt # requests uv==0.9.13 - # via -r dev.in + # via -r requirements/dev.in diff --git a/requirements/main.txt b/requirements/main.txt index 9a777ee..d165fbf 100644 --- a/requirements/main.txt +++ b/requirements/main.txt @@ -11,7 +11,7 @@ babel==2.17.0 beautifulsoup4==4.14.2 # via wagtail boto3==1.41.5 - # via -r main.in + # via -r requirements/main.in botocore==1.41.5 # via # boto3 @@ -21,20 +21,20 @@ certifi==2025.11.12 charset-normalizer==3.4.4 # via requests colander==2.0 - # via -r main.in + # via -r requirements/main.in defusedxml==0.7.1 # via - # -r main.in + # -r requirements/main.in # willow delorean==1.0.0 - # via -r main.in + # via -r requirements/main.in dj-database-url==3.0.1 - # via -r main.in + # via -r requirements/main.in dj-static==0.0.6 - # via -r main.in + # via -r requirements/main.in django==5.2.9 # via - # -r main.in + # -r requirements/main.in # dj-database-url # django-appconf # django-compressor @@ -55,27 +55,27 @@ django-appconf==1.2.0 # via django-compressor django-compressor==4.6.0 # via - # -r main.in + # -r requirements/main.in # django-libsass django-extensions==4.1 - # via -r main.in + # via -r requirements/main.in django-filter==25.2 # via wagtail django-libsass==0.9 - # via -r main.in + # via -r requirements/main.in django-modelcluster==6.4 # via - # -r main.in + # -r requirements/main.in # wagtail django-permissionedforms==0.1 # via wagtail django-storages==1.14.6 - # via -r main.in + # via -r requirements/main.in django-stubs-ext==5.2.7 # via django-tasks django-taggit==6.1.0 # via - # -r main.in + # -r requirements/main.in # wagtail django-tasks==0.9.0 # via @@ -92,7 +92,7 @@ et-xmlfile==2.0.0 filetype==1.2.0 # via willow gunicorn==23.0.0 - # via -r main.in + # via -r requirements/main.in humanize==4.14.0 # via delorean idna==3.11 @@ -116,7 +116,7 @@ openpyxl==3.1.5 packaging==25.0 # via gunicorn pandas==2.3.3 - # via -r main.in + # via -r requirements/main.in pillow==12.0.0 # via # pillow-heif @@ -124,27 +124,27 @@ pillow==12.0.0 pillow-heif==1.1.1 # via willow pydantic==2.12.5 - # via -r main.in + # via -r requirements/main.in pydantic-core==2.41.5 # via pydantic python-dateutil==2.9.0.post0 # via - # -r main.in + # -r requirements/main.in # botocore # delorean # pandas pytz==2025.2 # via - # -r main.in + # -r requirements/main.in # delorean # pandas rcssmin==1.2.2 # via django-compressor redis==7.1.0 - # via -r main.in + # via -r requirements/main.in requests==2.32.5 # via - # -r main.in + # -r requirements/main.in # wagtail rjsmin==1.2.5 # via django-compressor @@ -176,15 +176,15 @@ tzdata==2025.2 # via pandas tzlocal==5.3.1 # via delorean -urllib3==2.5.0 +urllib3==2.6.2 # via # botocore # requests wagtail==7.2.1 - # via -r main.in + # via -r requirements/main.in whitenoise==6.11.0 - # via -r main.in -willow[heif]==1.12.0 + # via -r requirements/main.in +willow==1.12.0 # via - # -r main.in + # -r requirements/main.in # wagtail diff --git a/requirements/production.txt b/requirements/production.txt index 2993b2f..91dc57d 100644 --- a/requirements/production.txt +++ b/requirements/production.txt @@ -4,3 +4,7 @@ psycopg==3.2.13 # via -r requirements/production.in psycopg-binary==3.2.13 # via psycopg +typing-extensions==4.15.0 + # via + # -c requirements/main.txt + # psycopg