Skip to content

Commit 5ff492a

Browse files
DevOpsMadDogclaude
andcommitted
fix(deps): bump cryptography 46.0.7 -> 48.0.1 (GHSA-537c-gmf6-5ccf)
pip-audit on the core requirements.txt found exactly one fixable vuln: cryptography 46.0.7 (GHSA-537c-gmf6-5ccf), fixed in 48.0.1. The pin <47.0.0 blocked it; widened to >=48.0.1,<49.0.0. The deployed image installs only requirements.txt (Dockerfile:28); the <47/<48 transitive pins (prowler-cloud/oci/alibaba/pyopenssl) are local dev extras not in core, and CSPM uses the prowler CLI binary via subprocess, so the deployed product is unaffected. Verified on cryptography 48: 40 crypto-hardening + 33 jwt/signed- evidence + 181 smoke tests pass, create_app boots. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent f5f6dc1 commit 5ff492a

2 files changed

Lines changed: 3 additions & 1 deletion

File tree

docs/ralph_progress.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -554,3 +554,5 @@ tick269 (2026-06-22, ralph-c2) — SPEC-034 SCOPE GAP CLOSED (suite-attack/api):
554554
tick270 (2026-06-23, ralph-c4) — CSPM NO-MOCKS (#9108 founder-gated) RESOLVED: cspm_connector fabricated prowler/checkov/trivy/cloudsploit sample findings into the pipeline when no real CLI present. Gated all 4 fallbacks behind FIXOPS_CSPM_DEMO (helper _cspm_demo_mode); default is now HONEST-EMPTY (prowler b"[]", checkov empty results, trivy {Results:[]}, cloudsploit []), with result.errors noting "set FIXOPS_CSPM_DEMO=1 for sample data". Updated tests: connector fixture sets the demo flag (its purpose = sample path); renamed test_..._uses_fallback -> test_..._demo_mode_serves_samples; ADDED test_scan_tenant_honest_empty_without_demo_flag (asserts 0 fabricated findings, NO-MOCKS default); test_real_checkov skips honestly when the (broken on this box) checkov CLI cannot run instead of demanding a fabricated floor. Verified: 57 passed/1 skipped + test_no_fake_cspm green, create_app 8346. The behavior-changing founder-gated CSPM fabrication is now opt-in-demo only.
555555

556556
tick271 (2026-06-23, ralph-c4) — v66 deployed (CSPM honest-empty + suite-attack tenancy live). Verified deployed-login flow: signup (POST /api/v1/auth/signup) creates user status=active + email_verified=False; auth_login (801) only 403s if status!=active (855) -> email verification does NOT block login. So signup->login works WITHOUT email (no SMTP needed). The curl "Invalid API token" = that key not in deployed DB; correct path is UI signup (mints org key, shown once) then email/password login.
557+
558+
tick272 (2026-06-23, ralph-c4) — DEPENDABOT/CVE: pip-audit on core requirements.txt found exactly 1 fixable vuln: cryptography 46.0.7 GHSA-537c-gmf6-5ccf (fix 48.0.1). Pin was >=46.0.7,<47.0.0 (blocked fix). Bumped -> >=48.0.1,<49.0.0, installed 48.0.1. The "251 dependabot" GitHub count is mostly legacy/npm/transitive; the deployed Python core has just this one. Local pip-check flags 5 transitive deps pinning cryptography<47/<48 (prowler-cloud==46.0.6, oci, alibaba, pyopenssl, py-ocsf) BUT none are in requirements.txt — deployed image installs ONLY requirements.txt (Dockerfile:28), and CSPM uses the prowler CLI binary via subprocess (not the py lib), so the deployed product is unaffected. VERIFIED on crypto 48: 40 crypto-hardening + 33 jwt/cors+signed-evidence + 181 smoke pass, create_app boots 8346. Comprehensive session verification this cycle: T2 0 collection errors (46976 collected) + Beast 756 + broad converted-domain regression 737 + crypto 73 — all green, zero regressions across the whole SPEC-034/030/CSPM body of work.

requirements.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ httpx>=0.27.0,<1.0
1414
httpx2>=2.2.0,<3.0
1515
pgmpy==0.1.24
1616
PyJWT>=2.12.0,<3.0
17-
cryptography>=46.0.7,<47.0.0
17+
cryptography>=48.0.1,<49.0.0
1818
cffi>=2.0.0,<3.0
1919
structlog>=25.4.0,<26.0.0
2020
PyYAML>=6.0.1,<7.0

0 commit comments

Comments
 (0)