security(deps): bump aiohttp to 3.14.0, anthropic to 0.87.0; pin cryptography floor
- aiohttp 3.13.4 -> 3.14.0 (messaging/slack/homeassistant/sms extras + lazy_deps platform.slack) — picks up CVE-2026-34993 (RCE via CookieJar.load deserialization) and CVE-2026-47265 (per-request cookie leak on cross-origin redirect). Both are fixed only in 3.14.0; there is no 3.13.x backport. - anthropic 0.86.0 -> 0.87.0 (anthropic extra) — CVE-2026-34450 / CVE-2026-34452. lazy_deps provider.anthropic was already 0.87.0; the extra pin had drifted back to the vulnerable 0.86.0, so this realigns it. - cryptography pinned explicitly at 46.0.7 in core deps — CVE-2026-39892, CVE-2026-34073. It only arrives transitively via PyJWT[crypto]; the explicit floor keeps the WeCom/Weixin crypto paths from drifting below the fix. uv.lock regenerated; only aiohttp / anthropic moved (cryptography already resolved to 46.0.7). Verified 3.14.0 satisfies discord.py 2.7.1 (aiohttp>=3.7.4,<4) and slack-sdk 3.40.1 (aiohttp>=3.7.3,<4).
This commit is contained in:
parent
b48cacb97b
commit
db57cbbaf6
2 changed files with 9 additions and 6 deletions
|
|
@ -87,6 +87,9 @@ dependencies = [
|
|||
# urllib3 2.7.0 fixes GHSA-mf9v-mfxr-j63j (decompression-bomb bypass)
|
||||
# and GHSA-qccp-gfcp-xxvc (header leak across origins).
|
||||
"urllib3>=2.7.0,<3",
|
||||
# cryptography is pulled in transitively by PyJWT[crypto]; pin it explicitly
|
||||
# so the WeCom/Weixin crypto paths can't drift below the CVE-fixed floor.
|
||||
"cryptography==46.0.7", # CVE-2026-39892, CVE-2026-34073
|
||||
# Windows has no IANA tzdata shipped with the OS, so Python's ``zoneinfo``
|
||||
# (PEP 615) raises ``ZoneInfoNotFoundError`` for every non-UTC timezone
|
||||
# out of the box. ``tzdata`` ships the Olson database as a data package
|
||||
|
|
@ -155,9 +158,9 @@ modal = ["modal==1.3.4"]
|
|||
daytona = ["daytona==0.155.0"]
|
||||
hindsight = ["hindsight-client==0.6.1"]
|
||||
dev = ["debugpy==1.8.20", "pytest==9.0.2", "pytest-asyncio==1.3.0", "mcp==1.26.0", "starlette==1.0.1", "ty==0.0.21", "ruff==0.15.10", "setuptools==81.0.0"] # starlette: CVE-2026-48710; setuptools: latest <82 (torch >=2.11 caps setuptools<82)
|
||||
messaging = ["python-telegram-bot[webhooks]==22.6", "discord.py[voice]==2.7.1", "aiohttp==3.13.4", "brotlicffi==1.2.0.1", "slack-bolt==1.27.0", "slack-sdk==3.40.1", "qrcode==7.4.2"] # aiohttp: CVE-2026-34513/34518/34519/34520/34525
|
||||
messaging = ["python-telegram-bot[webhooks]==22.6", "discord.py[voice]==2.7.1", "aiohttp==3.14.0", "brotlicffi==1.2.0.1", "slack-bolt==1.27.0", "slack-sdk==3.40.1", "qrcode==7.4.2"] # aiohttp 3.14.0: CVE-2026-34513/34518/34519/34520/34525 + 34993(RCE)/47265
|
||||
cron = [] # croniter is now a core dependency; this extra kept for back-compat
|
||||
slack = ["slack-bolt==1.27.0", "slack-sdk==3.40.1", "aiohttp==3.13.4"]
|
||||
slack = ["slack-bolt==1.27.0", "slack-sdk==3.40.1", "aiohttp==3.14.0"]
|
||||
matrix = ["mautrix[encryption]==0.21.0", "aiosqlite==0.22.1", "asyncpg==0.31.0", "aiohttp-socks==0.11.0"]
|
||||
# WeCom callback-mode adapter — parses untrusted XML POST bodies from
|
||||
# WeCom-controlled callback endpoints, so we use defusedxml (drop-in
|
||||
|
|
@ -203,9 +206,9 @@ vision = []
|
|||
# a vulnerable pre-1.0.1 transitive. Bump in lockstep with uv.lock.
|
||||
mcp = ["mcp==1.26.0", "starlette==1.0.1"] # starlette: CVE-2026-48710
|
||||
nemo-relay = ["nemo-relay==0.3"]
|
||||
homeassistant = ["aiohttp==3.13.4"]
|
||||
sms = ["aiohttp==3.13.4"]
|
||||
teams = ["microsoft-teams-apps==2.0.13.4", "aiohttp==3.13.4"]
|
||||
homeassistant = ["aiohttp==3.14.0"]
|
||||
sms = ["aiohttp==3.14.0"]
|
||||
teams = ["microsoft-teams-apps==2.0.13.4", "aiohttp==3.14.0"] # aiohttp 3.14.0: CVE-2026-34993(RCE)/47265 + 34513/34518/34519/34520/34525
|
||||
# Computer use — macOS background desktop control via cua-driver (MCP stdio).
|
||||
# The cua-driver binary itself is installed via `hermes tools` post-setup
|
||||
# (curl install script); this extra just pins the MCP client used to talk
|
||||
|
|
|
|||
|
|
@ -158,7 +158,7 @@ LAZY_DEPS: dict[str, tuple[str, ...]] = {
|
|||
"platform.slack": (
|
||||
"slack-bolt==1.27.0",
|
||||
"slack-sdk==3.40.1",
|
||||
"aiohttp==3.13.4", # CVE-2026-34513/34518/34519/34520/34525
|
||||
"aiohttp==3.14.0", # CVE-2026-34513/34518/34519/34520/34525 + 34993(RCE)/47265
|
||||
),
|
||||
"platform.matrix": (
|
||||
"mautrix[encryption]==0.21.0",
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue