Fix Python dependency vulnerabilities (#301)

zeevmoney · claude · web-flow · commit 7c635ec29a19 · 2026-03-18T20:09:16.000+02:00
* Bump vulnerable Python dependencies and remove wheel from image - aiohttp: >=3.13.3 (CVE-2025-69223, CVE-2025-69227/28/29) - urllib3: >=2.6.3 (CVE-2025-66418, CVE-2025-66471, CVE-2026-21441) - protobuf: >=6.33.5 (CVE-2026-0994) - cryptography: >=46.0.5 added explicitly (CVE-2026-26007) - wheel: uninstalled after pip install in Dockerfile (CVE-2026-24049) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Bump Rust base image to 1.88 to fix cargo-chef MSRV cargo-chef now pulls cargo-platform@0.3.2 (requires rustc 1.88) and cargo_metadata@0.23.1 / guppy@0.17.25 (require rustc 1.86). The previous rust:1.85-alpine image can no longer build these tools. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/Dockerfile b/Dockerfile
@@ -8,6 +8,7 @@ ARG OPA_BUILD=permit
 # couldn't get this to work without the help of those two sources
 # (1) this stage will be run always on current arch
 # zigbuild & Cargo targets added
+
 FROM --platform=$BUILDPLATFORM rust:1.94-alpine AS rust_chef
 WORKDIR /app
 ENV PKGCONFIG_SYSROOTDIR=/
@@ -140,7 +141,7 @@ COPY ./requirements.txt ./requirements.txt
 RUN --mount=type=cache,target=/root/.cache/pip \
     pip install --upgrade pip setuptools && \
     pip install -r requirements.txt && \
-    python -m pip uninstall -y pip setuptools && \
+    python -m pip uninstall -y pip setuptools wheel && \
     rm -r /usr/local/lib/python3.10/ensurepip
 
 USER permit
diff --git a/requirements.txt b/requirements.txt
@@ -1,9 +1,9 @@
-aiohttp>=3.12.14,<4
+aiohttp>=3.13.3,<4
 fastapi>=0.115.6,<1
 Jinja2>=3.1.2,<4
 pydantic[email]>=1.9.1,<2
 requests>=2.32.4,<3
-urllib3>=2.5.0,<3
+urllib3>=2.6.3,<3
 gunicorn>=23.0.0,<24
 tenacity>=8.0.1,<9
 typer>=0.4.1,<1
@@ -15,6 +15,7 @@ scalar-fastapi==1.0.3
 httpx>=0.27.0,<1
 # TODO: change to use re2 in the future, currently not supported in alpine due to c++ library issues
 # google-re2 # use re2 instead of re for regex matching because it's simiplier and safer for user inputted regexes
-protobuf>=3.20.2 # not directly required, pinned by Snyk to avoid a vulnerability
+protobuf>=6.33.5 # pinned to avoid CVE-2026-0994
+cryptography>=46.0.5,<47 # pinned to avoid CVE-2026-26007
 opal-common==0.8.3
 opal-client==0.8.3
