Fix Python dependency vulnerabilities

[zeevmoney]

Summary

• Bump minimum versions for aiohttp, urllib3, protobuf, and add cryptography as explicit dependency in requirements.txt to resolve known CVEs
• Uninstall wheel from final Docker image after pip install to remove CVE-2026-24049
• Alpine OS OpenSSL vulns (CVE-2025-15467 CRITICAL + 6 HIGH) are resolved by the fresh image build since apk upgrade is already in the Dockerfile

Python dependency changes (requirements.txt)

Package	Old constraint	New constraint	CVEs fixed
aiohttp	>=3.12.14,<4	>=3.13.3,<4	CVE-2025-69223 (HIGH), CVE-2025-69227, CVE-2025-69228, CVE-2025-69229 (MEDIUM)
urllib3	>=2.5.0,<3	>=2.6.3,<3	CVE-2025-66418 (HIGH), CVE-2025-66471 (HIGH), CVE-2026-21441 (HIGH)
protobuf	>=3.20.2	>=6.33.5	CVE-2026-0994 (HIGH)
cryptography	(not listed)	>=46.0.5,<47	CVE-2026-26007 (HIGH)

cryptography was already imported directly in horizon/startup/offline_mode.py but was not declared as an explicit dependency — it was pulled in transitively. Adding it explicitly ensures the minimum version is enforced regardless of what transitive resolution produces.

The protobuf lower bound was >=3.20.2 (pinned by Snyk years ago). The version actually installed in the image was 6.33.1, so bumping to >=6.33.5 reflects reality and fixes the CVE.

Dockerfile changes

• wheel uninstall: Added wheel to the pip uninstall cleanup step. wheel is only needed at build time for building Python packages and has no runtime purpose. Removing it eliminates CVE-2026-24049 from the final image.
• Rust image bump: As described above.

Alpine OS packages (no code change needed)

CVE-2025-15467 (CRITICAL) and 6 HIGH CVEs affect libcrypto3/libssl3 (OpenSSL 3.5.4-r0). The Dockerfile already runs apk upgrade which pulls the latest packages from Alpine repos. The fixed version 3.5.5-r0 is available in Alpine 3.22 repos, so a fresh Docker build resolves all 8 OpenSSL CVEs automatically.

Out of scope

3 CVEs in Go libraries compiled into the OPA binary (containerd, mapstructure) must be fixed in the permitio/permit-opa repository. Tracked separately in PER-14186.

Linear Issue

PER-14185

Test plan

• Verify Docker image builds successfully with updated dependencies
• Run existing tests to confirm no regressions from dependency bumps
• Scan rebuilt image with vulnerability scanner to confirm CVEs are resolved

Tests

• Unit tests added for all public functions — N/A (dependency version bumps only, no code changes)
• Unit tests added for critical functions — N/A
• Mocks used for external dependencies — N/A
• Integration tests: not needed — version bumps don't change behavior
• Test infrastructure: existing

Generated with Claude Code

[linear]

PER-14185 Fix Python dependency vulnerabilities

[Copilot]

Pull request overview

This PR updates Python dependencies and the Docker build to remediate reported CVEs in the runtime image, primarily by bumping minimum versions and reducing installed packaging tooling in the final container.

Changes:

• Bump minimum versions for aiohttp, urllib3, and protobuf, and add cryptography as an explicit dependency in requirements.txt.
• Update the Rust build stage image version.
• Uninstall wheel (in addition to pip and setuptools) from the final Docker image layer after dependency installation.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
requirements.txt	Raises minimum versions for vulnerable deps and adds explicit cryptography.
Dockerfile	Updates Rust builder base image and removes wheel from final runtime layer post-install.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.