Conversation
jhd3197
commented
Feb 12, 2026
jhd3197
commented
- Werkzeug 3.0.1 → 3.1.5 (5 vulnerabilities)
- Flask-Cors 5.0.1 → 6.0.2 (3 vulnerabilities)
- gunicorn 22.0.0 → 23.0.0 (TolerateDangerousFraming header issue)
- cryptography 44.0.3 → 46.0.5 (CVE-2026-26007 improper input validation)
- Werkzeug 3.0.1 → 3.1.5 (5 vulnerabilities) - Flask-Cors 5.0.1 → 6.0.2 (3 vulnerabilities) - gunicorn 22.0.0 → 23.0.0 (TolerateDangerousFraming header issue) - cryptography 44.0.3 → 46.0.5 (CVE-2026-26007 improper input validation)
There was a problem hiding this comment.
Pull request overview
Updates backend Python dependency pins to address vulnerabilities flagged by Safety CI and bumps the application version accordingly.
Changes:
- Bump vulnerable dependencies in
backend/requirements.txt(Werkzeug, Flask-Cors, gunicorn, cryptography). - Increment release
VERSIONfrom1.2.85to1.2.86.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| backend/requirements.txt | Updates pinned versions of vulnerable backend dependencies. |
| VERSION | Bumps application version to reflect the dependency updates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| gunicorn==23.0.0 | ||
| gevent==25.4.2 | ||
| gevent-websocket==0.10.1 |
There was a problem hiding this comment.
In the backend Dockerfile, dependencies are installed from requirements.txt and then gunicorn, gevent, and gevent-websocket are installed again without version pins, which can override these pinned versions and make the build non-reproducible (and potentially reintroduce the vulnerabilities this PR is trying to fix). Consider removing the second install step or pinning those packages there to the same versions as requirements.txt.
1 participant
