Skip to content

Bump the pip group across 3 directories with 7 updates#87

Open
dependabot[bot] wants to merge 5 commits intomainfrom
dependabot/pip/webClient/api/pip-c5e67f0ee2
Open

Bump the pip group across 3 directories with 7 updates#87
dependabot[bot] wants to merge 5 commits intomainfrom
dependabot/pip/webClient/api/pip-c5e67f0ee2

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github Nov 18, 2025

Bumps the pip group with 5 updates in the /webClient/api directory:

Package From To
flask 3.1.0 3.1.1
flask-cors 5.0.0 6.0.0
python-socketio 5.11.4 5.14.0
eventlet 0.37.0 0.40.3
requests 2.32.3 2.32.4

Bumps the pip group with 3 updates in the /managerServer/api directory: flask-cors, pymysql and gunicorn.
Bumps the pip group with 2 updates in the /archive/manager/api directory: flask-cors and gunicorn.

Updates flask from 3.1.0 to 3.1.1

Release notes

Sourced from flask's releases.

3.1.1

This is the Flask 3.1.1 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release.

PyPI: https://pypi.org/project/Flask/3.1.1/ Changes: https://flask.palletsprojects.com/en/stable/changes/#version-3-1-1 Milestone https://github.com/pallets/flask/milestone/36?closed=1

  • Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. GHSA-4grg-w6v8-c28g
  • Fix type hint for cli_runner.invoke. #5645
  • flask --help loads the app and plugins first to make sure all commands are shown. #5673
  • Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. #5659
Changelog

Sourced from flask's changelog.

Version 3.1.1

Released 2025-05-13

  • Fix signing key selection order when key rotation is enabled via SECRET_KEY_FALLBACKS. :ghsa:4grg-w6v8-c28g
  • Fix type hint for cli_runner.invoke. :issue:5645
  • flask --help loads the app and plugins first to make sure all commands are shown. :issue:5673
  • Mark sans-io base class as being able to handle views that return AsyncIterable. This is not accurate for Flask, but makes typing easier for Quart. :pr:5659
Commits

Updates flask-cors from 5.0.0 to 6.0.0

Release notes

Sourced from flask-cors's releases.

6.0.0

Breaking

Path specificity ordering has changed to improve specificity. This may break users who expected the previous incorrect ordering.

What's Changed

Full Changelog: corydolphin/flask-cors@5.0.1...6.0.0

5.0.1

What's Changed

This primarily changes packaging to use uv and a new release pipeline, along with some small documentation improvements

New Contributors

Full Changelog: corydolphin/flask-cors@5.0.0...5.0.01

Commits

Updates python-socketio from 5.11.4 to 5.14.0

Release notes

Sourced from python-socketio's releases.

Release 5.14.0

See CHANGES.md for release notes.

Release 5.13.0

See CHANGES.md for release notes.

Release 5.12.1

See CHANGES.md for release notes.

Release 5.12.0

See CHANGES.md for release notes.

Changelog

Sourced from python-socketio's changelog.

python-socketio change log

Release 5.14.3 - 2025-10-29

  • Support Python's native ConnectionRefusedError exception to reject a connection #1515 (commit)
  • Push binary data to the aiopika client manager #1514 (commit)

Release 5.14.2 - 2025-10-15

  • Restore binary message support in message queue setups #1509 (commit)
  • Fix formatting of client connection error #1507 (commit)
  • Add 3.14 and pypy-3.11 CI tasks (commit)
  • Improve documentation of the BaseManager.get_participants() method (commit)

Release 5.14.1 - 2025-10-02

  • Restore support for rediss:// URLs, and add support for valkeys:// as well (commit)
  • Add support for Redis connections using unix sockets #1503 (commit) (thanks Darren Chang!)

Release 5.14.0 - 2025-09-30

  • Replace pickle with json in message queue communications #1502 (commit)
  • Add support for Valkey in the Redis client managers #1488 (commit) (thanks phi-friday!)
  • Keep track of which namespaces failed to connect #1496 (commit)
  • Fixed transport property of the simple clients to be a string as documented #1499 (commit)
  • SimpleClient.call does not raise TimeoutError on timeout #1501 (commit) (thanks James Thistlewood!)
  • Wait for client to end background tasks on disconnect #1500 (commit)
  • Better error logging for the Redis managers #1479 (commit) (thanks Eugnee!)
  • Channel was not properly initialized in several pubsub client managers #1476 (commit) (thanks Eugnee!)
  • Add message queue deployment recommendations for security (commit)
  • Add missing async on session examples for the async server #1465 (commit) (thanks Func!)
  • Add SPDX license identifier #1453 (commit) (thanks Marc Mueller!)

Release 5.13.0 - 2025-04-12

  • Eliminate race conditions on disconnect #1441 (commit)
  • Preserve exception context in Client.connect and AsyncClient.connect #1450 (commit) (thanks Tim Van Baak!)
  • Allow custom client subclasses to be used in SimpleClient and AsyncSimpleClient #1432 (commit)
  • Add support for Redis Sentinel URLs in RedisManager and AsyncRedisManager #1448 (commit)
  • Remove incorrect reference to an asyncio installation extra in documentation #1449 (commit)

Release 5.12.1 - 2024-12-29

  • Fix admin instrumentation support of disconnect reasons #1423 (commit)
  • Stop using deprecated datetime functions (commit)
  • Enable admin instrumentation by default in WSGI and ASGI examples (commit)
  • Fixed broken gevent URL in documentation #1427 (commit) (thanks Carlos Guerrero!)

Release 5.12.0 - 2024-12-18

... (truncated)

Commits
  • 400200e Release 5.14.0
  • 53f6be0 Replace pickle with json (#1502)
  • a59c6f5 Fix: SimpleClient.call does not raise TimeoutError on timeout (#1501)
  • f61e0be wait for client to end background tasks on disconnect (#1500)
  • 23556fb Fixed transport property of the simple clients to be a string as documented (...
  • e59acf1 Address failures of test suite on Mac (#1497)
  • 36a8922 Add support for valkey in the Redis client managers (#1488)
  • 5dc2aea keep track of which namespaces failed to connect (#1496)
  • b3da354 Add message queue deployment recommendations
  • 3625fe8 Bump eventlet from 0.35.2 to 0.40.3 in /examples/server/wsgi (#1491) #nolog
  • Additional commits viewable in compare view

Updates eventlet from 0.37.0 to 0.40.3

Changelog

Sourced from eventlet's changelog.

0.40.3

  • [SECURITY] Fix request smuggling vulnerability by discarding trailers (#1062)

0.40.2

  • Fix compatibility issues identified with Python 3.14 on Linux (#1058)
  • Make database removal safer with IF EXISTS (#1056)
  • Prepare jobs and CI/CD for python 3.14 (#1055)

0.40.1

  • [fix] "Fix" fork() so it "works" on Python 3.13, and "works" better on older Python versions (#1047)
    • Behavior change: threads created by eventlet.green.threading.Thread and threading.Thead will be visible across both modules if monkey patching was used. Previously each module would only list threads created in that module.
    • Bug fix: after fork(), greenlet threads are correctly listed in threading.enumerate() if monkey patching was used. You should not use fork()-without-execve().
  • [fix] Fix patching of removed URLopener class in Python 3.14 (#1053)
  • [fix] ReferenceError except while count rlock (#1042)
  • [fix] Replace deprecated datetime.utcfromtimestamp (#1050)
  • [fix][env] Remove duplicate steps (#1049)
  • [fix] Replace deprecated datetime.datetime.utcnow (#1046)

0.40.0

  • [fix] Fix ssl test when linking against openssl 3.5 (#1034)
  • Drop support Python 3.8 (#1021)
  • [doc] Various doc updates (#981, #1033)
  • [env] Drop PyPy support (#1035 #1037)

0.39.1

  • [fix] Make LightQueue and derivatives subscriptable (#1027)

0.39.0

  • [fix] Remove monotonic from requirements (#1018)
  • [fix] wsgi: Clean up some override logic (#999)
  • [fix] Correct line lookup from inspect.getsourcelines() (#990)
  • Drop support of Python 3.7 (#967)
  • [fix] Calling eventlet.sleep(0) isn't really blocking, so don't blow up (#1015)

0.38.2

... (truncated)

Commits
  • b0d9133 Update changelog for version 0.40.3 (#1064)
  • 0bfebd1 [SECURITY] Fix request smuggling vulnerability by discarding trailers (#1062)
  • e073b83 Update changelog for version 0.40.2 (#1060)
  • 06d9572 Fix tests on Python 3.14 on Linux (#1058)
  • d4d5b8f Make database removal safer with IF EXISTS (#1056)
  • 2f217ca Prepare jobs and CI/CD for python 3.14 (#1055)
  • d1e7a94 Update changelog for version 0.40.1 (#1052)
  • 6e9c034 Fix patching of removed URLopener class in Python 3.14 (#1053)
  • e470c1f Handle ReferenceError except while count rlock (#1042)
  • a4dcd4d "Fix" fork() so it "works" on Python 3.13, and "works" better on older Python...
  • Additional commits viewable in compare view

Updates requests from 2.32.3 to 2.32.4

Release notes

Sourced from requests's releases.

v2.32.4

2.32.4 (2025-06-10)

Security

  • CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file. (#6965)

Improvements

  • Numerous documentation improvements

Deprecations

  • Added support for pypy 3.11 for Linux and macOS. (#6926)
  • Dropped support for pypy 3.9 following its end of support. (#6926)
Changelog

Sourced from requests's changelog.

2.32.4 (2025-06-10)

Security

  • CVE-2024-47081 Fixed an issue where a maliciously crafted URL and trusted environment will retrieve credentials for the wrong hostname/machine from a netrc file.

Improvements

  • Numerous documentation improvements

Deprecations

  • Added support for pypy 3.11 for Linux and macOS.
  • Dropped support for pypy 3.9 following its end of support.
Commits
  • 021dc72 Polish up release tooling for last manual release
  • 821770e Bump version and add release notes for v2.32.4
  • 59f8aa2 Add netrc file search information to authentication documentation (#6876)
  • 5b4b64c Add more tests to prevent regression of CVE 2024 47081
  • 7bc4587 Add new test to check netrc auth leak (#6962)
  • 96ba401 Only use hostname to do netrc lookup instead of netloc
  • 7341690 Merge pull request #6951 from tswast/patch-1
  • 6716d7c remove links
  • a7e1c74 Update docs/conf.py
  • c799b81 docs: fix dead links to kenreitz.org
  • Additional commits viewable in compare view

Updates flask-cors from 4.0.0 to 6.0.0

Release notes

Sourced from flask-cors's releases.

6.0.0

Breaking

Path specificity ordering has changed to improve specificity. This may break users who expected the previous incorrect ordering.

What's Changed

Full Changelog: corydolphin/flask-cors@5.0.1...6.0.0

5.0.1

What's Changed

This primarily changes packaging to use uv and a new release pipeline, along with some small documentation improvements

New Contributors

Full Changelog: corydolphin/flask-cors@5.0.0...5.0.01

Commits

Updates pymysql from 1.1.0 to 1.1.1

Release notes

Sourced from pymysql's releases.

v1.1.1

[!WARNING] This release fixes a vulnerability (CVE-2024-36039). All users are recommended to update to this version.

If you can not update soon, check the input value from untrusted source has an expected type. Only dict input from untrusted source can be an attack vector.

What's Changed

Merged PRs

New Contributors

Full Changelog: PyMySQL/PyMySQL@v1.1.0...v1.1.1

Changelog

Sourced from pymysql's changelog.

v1.1.1

Release date: 2024-05-21

[!WARNING] This release fixes a vulnerability (CVE-2024-36039). All users are recommended to update to this version.

If you can not update soon, check the input value from untrusted source has an expected type. Only dict input from untrusted source can be an attack vector.

  • Prohibit dict parameter for Cursor.execute(). It didn't produce valid SQL and might cause SQL injection. (CVE-2024-36039)
  • Added ssl_key_password param. #1145
Commits

Updates gunicorn from 21.2.0 to 22.0.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

    

  • use utime to notify workers liveness
    • 

  • migrate setup to pyproject.toml
    • 

  • fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
    • 

  • parsing additional requests is no longer attempted past unsupported request framing
    • 

  • on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
    • 

  • requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
    • 

  • Trailer fields are no longer inspected for headers indicating secure scheme
    • 

  • support Python 3.12
    • 



** Breaking changes **


    

  • minimum version is Python 3.7
    • 

  • the limitations on valid characters in the HTTP method have been bounded to Internet Standards
    • 

  • requests specifying unsupported transfer coding (order) are refused by default (rare)
    • 

  • HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
    • 

  • HTTP methods containing the number sign (#) are no longer accepted by default (rare)
    • 

  • HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
    • 

  • HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
    • 

  • HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
    • 

  • HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
    • 

  • requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
    • 

  • empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)
    • 



** SECURITY **


    

  • fix CVE-2024-1135
  1. Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
  2. Packages: https://pypi.org/project/gunicorn/
Commits
  • f63d59e bump to 22.0
  • 4ac81e0 Merge pull request #3175 from e-kwsm/typo
  • 401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
  • 0243ec3 fix(deps): exclude eventlet 0.36.0
  • 628a0bc chore: fix typos
  • 88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
  • deae2fc CI: back off the agressive timeout
  • f470382 docs: promise 3.12 compat
  • 5e30bfa add changelog to project.urls (updated for PEP621)
  • 481c3f9 remove setup.cfg - overridden by pyproject.toml
  • Additional commits viewable in compare view

Updates flask-cors from 4.0.0 to 6.0.0

Release notes

Sourced from flask-cors's releases.

6.0.0

Breaking

Path specificity ordering has changed to improve specificity. This may break users who expected the previous incorrect ordering.

What's Changed

Full Changelog: corydolphin/flask-cors@5.0.1...6.0.0

5.0.1

What's Changed

This primarily changes packaging to use uv and a new release pipeline, along with some small documentation improvements

New Contributors

Full Changelog: corydolphin/flask-cors@5.0.0...5.0.01

Commits

Updates gunicorn from 21.2.0 to 22.0.0

Release notes

Sourced from gunicorn's releases.

Gunicorn 22.0 has been released

Gunicorn 22.0.0 has been released. This version fix the numerous security vulnerabilities. You're invited to upgrade asap your own installation.

Changes:

22.0.0 - 2024-04-17
===================

    

  • use utime to notify workers liveness
    • 

  • migrate setup to pyproject.toml
    • 

  • fix numerous security vulnerabilities in HTTP parser (closing some request smuggling vectors)
    • 

  • parsing additional requests is no longer attempted past unsupported request framing
    • 

  • on HTTP versions < 1.1 support for chunked transfer is refused (only used in exploits)
    • 

  • requests conflicting configured or passed SCRIPT_NAME now produce a verbose error
    • 

  • Trailer fields are no longer inspected for headers indicating secure scheme
    • 

  • support Python 3.12
    • 



** Breaking changes **


    

  • minimum version is Python 3.7
    • 

  • the limitations on valid characters in the HTTP method have been bounded to Internet Standards
    • 

  • requests specifying unsupported transfer coding (order) are refused by default (rare)
    • 

  • HTTP methods are no longer casefolded by default (IANA method registry contains none affected)
    • 

  • HTTP methods containing the number sign (#) are no longer accepted by default (rare)
    • 

  • HTTP versions < 1.0 or >= 2.0 are no longer accepted by default (rare, only HTTP/1.1 is supported)
    • 

  • HTTP versions consisting of multiple digits or containing a prefix/suffix are no longer accepted
    • 

  • HTTP header field names Gunicorn cannot safely map to variables are silently dropped, as in other software
    • 

  • HTTP headers with empty field name are refused by default (no legitimate use cases, used in exploits)
    • 

  • requests with both Transfer-Encoding and Content-Length are refused by default (such a message might indicate an attempt to perform request smuggling)
    • 

  • empty transfer codings are no longer permitted (reportedly seen with really old & broken proxies)
    • 



** SECURITY **


    

  • fix CVE-2024-1135
  1. Documentation is available there: https://docs.gunicorn.org/en/stable/news.html
  2. Packages: https://pypi.org/project/gunicorn/
Commits
  • f63d59e bump to 22.0
  • 4ac81e0 Merge pull request #3175 from e-kwsm/typo
  • 401cecf Merge pull request #3179 from dhdaines/exclude-eventlet-0360
  • 0243ec3 fix(deps): exclude eventlet 0.36.0
  • 628a0bc chore: fix typos
  • 88fc4a4 Merge pull request #3131 from pajod/patch-py12-rebased
  • deae2fc CI: back off the agressive timeout
  • f470382 docs: promise 3.12 compat
  • 5e30bfa add changelog to project.urls (updated for PEP621)
  • 481c3f9 remove setup.cfg - overridden by pyproject.toml
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition ...

Description has been truncated

@dependabot
Bump the pip group across 3 directories with 7 updates
6a38e30 
Bumps the pip group with 5 updates in the /webClient/api directory:

| Package | From | To |
| --- | --- | --- |
| [flask](https://github.com/pallets/flask) | `3.1.0` | `3.1.1` |
| [flask-cors](https://github.com/corydolphin/flask-cors) | `5.0.0` | `6.0.0` |
| [python-socketio](https://github.com/miguelgrinberg/python-socketio) | `5.11.4` | `5.14.0` |
| [eventlet](https://github.com/eventlet/eventlet) | `0.37.0` | `0.40.3` |
| [requests](https://github.com/psf/requests) | `2.32.3` | `2.32.4` |

Bumps the pip group with 3 updates in the /managerServer/api directory: [flask-cors](https://github.com/corydolphin/flask-cors), [pymysql](https://github.com/PyMySQL/PyMySQL) and [gunicorn](https://github.com/benoitc/gunicorn).
Bumps the pip group with 2 updates in the /archive/manager/api directory: [flask-cors](https://github.com/corydolphin/flask-cors) and [gunicorn](https://github.com/benoitc/gunicorn).


Updates `flask` from 3.1.0 to 3.1.1
- [Release notes](https://github.com/pallets/flask/releases)
- [Changelog](https://github.com/pallets/flask/blob/main/CHANGES.rst)
- [Commits](pallets/flask@3.1.0...3.1.1)

Updates `flask-cors` from 5.0.0 to 6.0.0
- [Release notes](https://github.com/corydolphin/flask-cors/releases)
- [Changelog](https://github.com/corydolphin/flask-cors/blob/main/CHANGELOG.md)
- [Commits](corydolphin/flask-cors@5.0.0...6.0.0)

Updates `python-socketio` from 5.11.4 to 5.14.0
- [Release notes](https://github.com/miguelgrinberg/python-socketio/releases)
- [Changelog](https://github.com/miguelgrinberg/python-socketio/blob/main/CHANGES.md)
- [Commits](miguelgrinberg/python-socketio@v5.11.4...v5.14.0)

Updates `eventlet` from 0.37.0 to 0.40.3
- [Changelog](https://github.com/eventlet/eventlet/blob/master/NEWS)
- [Commits](eventlet/eventlet@0.37.0...0.40.3)

Updates `requests` from 2.32.3 to 2.32.4
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.32.3...v2.32.4)

Updates `flask-cors` from 4.0.0 to 6.0.0
- [Release notes](https://github.com/corydolphin/flask-cors/releases)
- [Changelog](https://github.com/corydolphin/flask-cors/blob/main/CHANGELOG.md)
- [Commits](corydolphin/flask-cors@5.0.0...6.0.0)

Updates `pymysql` from 1.1.0 to 1.1.1
- [Release notes](https://github.com/PyMySQL/PyMySQL/releases)
- [Changelog](https://github.com/PyMySQL/PyMySQL/blob/main/CHANGELOG.md)
- [Commits](PyMySQL/PyMySQL@v1.1.0...v1.1.1)

Updates `gunicorn` from 21.2.0 to 22.0.0
- [Release notes](https://github.com/benoitc/gunicorn/releases)
- [Commits](benoitc/gunicorn@21.2.0...22.0.0)

Updates `flask-cors` from 4.0.0 to 6.0.0
- [Release notes](https://github.com/corydolphin/flask-cors/releases)
- [Changelog](https://github.com/corydolphin/flask-cors/blob/main/CHANGELOG.md)
- [Commits](corydolphin/flask-cors@5.0.0...6.0.0)

Updates `gunicorn` from 21.2.0 to 22.0.0
- [Release notes](https://github.com/benoitc/gunicorn/releases)
- [Commits](benoitc/gunicorn@21.2.0...22.0.0)

---
updated-dependencies:
- dependency-name: flask
  dependency-version: 3.1.1
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: flask-cors
  dependency-version: 6.0.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: python-socketio
  dependency-version: 5.14.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: eventlet
  dependency-version: 0.40.3
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: requests
  dependency-version: 2.32.4
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: flask-cors
  dependency-version: 6.0.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: pymysql
  dependency-version: 1.1.1
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: gunicorn
  dependency-version: 22.0.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: flask-cors
  dependency-version: 6.0.0
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: gunicorn
  dependency-version: 22.0.0
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Nov 18, 2025
PenguinzTech added a commit that referenced this pull request Apr 1, 2026
@PenguinzTech
security: fix vulnerabilities called out in PR #87 and others found d…
3b9843c 
…uring scan

- Updated Python dependencies in webClient, managerServer, unified-api, and archive to fix CVEs/GHSAs (flask, flask-cors, gunicorn, pymysql, etc.)
- Fixed command injection in archive/client/bins/ppingParser.py by removing shell=True
- Fixed SSRF vulnerability in testServer/internal/validation/validation.go by actually blocking internal targets
- Randomized default secrets in managerServer and unified-api configs to prevent use of insecure defaults
- Fixed .gitignore to stop ignoring go.mod/go.sum and tracked testServer Go module files
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@PenguinzTech