From 6efa820fd950a87d66f9486d4af40849da278fbe Mon Sep 17 00:00:00 2001 From: Cory Bullinger Date: Thu, 2 Apr 2026 08:02:57 -0400 Subject: [PATCH 1/3] fix(python-fastapi): bump aiohttp to >=3.13.4 for CVE-2026-34525 Raises the transitive aiohttp floor to the patched series so duplicate Host headers are rejected (GHSA-c427-h43c-vf67). Regenerated requirements.txt with pip-compile. Resolves Dependabot alerts #31-40. Made-with: Cursor --- mflix/server/python-fastapi/requirements.in | 2 +- mflix/server/python-fastapi/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/mflix/server/python-fastapi/requirements.in b/mflix/server/python-fastapi/requirements.in index d46b4d9..d33eb2b 100644 --- a/mflix/server/python-fastapi/requirements.in +++ b/mflix/server/python-fastapi/requirements.in @@ -62,7 +62,7 @@ rich-toolkit~=0.15.1 # Extensions for the 'rich' library # Minimum versions for indirect dependencies. # ------------------------------------------------------------------------------ filelock>=3.20.3 # Transitive dep via huggingface-hub -aiohttp>=3.13.3 # Transitive dep via voyageai +aiohttp>=3.13.4 # Transitive dep via voyageai (CVE-2026-34525) orjson>=3.11.7 # Transitive dep via langsmith (CVE fix) langchain-core>=1.2.11 # Transitive dep via langchain-text-splitters (CVE-2026-26013 fix) pillow>=12.1.1 # Transitive dep via voyageai (CVE-2026-25990 fix) diff --git a/mflix/server/python-fastapi/requirements.txt b/mflix/server/python-fastapi/requirements.txt index 585daa3..a34cb54 100644 --- a/mflix/server/python-fastapi/requirements.txt +++ b/mflix/server/python-fastapi/requirements.txt @@ -6,7 +6,7 @@ # aiohappyeyeballs==2.6.1 # via aiohttp -aiohttp==3.13.3 +aiohttp==3.13.5 # via # -r requirements.in # voyageai From cc5e910c66e7a60e1a454457df60328441325d34 Mon Sep 17 00:00:00 2001 From: Cory Bullinger Date: Fri, 24 Apr 2026 07:44:09 -0400 Subject: [PATCH 2/3] Bump pymongo to v4.17.0 --- mflix/server/python-fastapi/requirements.in | 2 +- mflix/server/python-fastapi/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/mflix/server/python-fastapi/requirements.in b/mflix/server/python-fastapi/requirements.in index d33eb2b..733e165 100644 --- a/mflix/server/python-fastapi/requirements.in +++ b/mflix/server/python-fastapi/requirements.in @@ -22,7 +22,7 @@ PyYAML~=6.0.3 # For handling YAML configuration or data # 3. DATABASE & CONNECTIVITY # Database driver and necessary utilities. # ------------------------------------------------------------------------------ -pymongo~=4.16.0 # MongoDB driver +pymongo~=4.17.0 # MongoDB driver dnspython~=2.8.0 # Required for SRV record lookups by pymongo (e.g., MongoDB Atlas) # ============================================================================== diff --git a/mflix/server/python-fastapi/requirements.txt b/mflix/server/python-fastapi/requirements.txt index a34cb54..3563232 100644 --- a/mflix/server/python-fastapi/requirements.txt +++ b/mflix/server/python-fastapi/requirements.txt @@ -151,7 +151,7 @@ pygments==2.19.2 # via # pytest # rich -pymongo==4.16.0 +pymongo==4.17.0 # via -r requirements.in pytest==8.4.2 # via From 0fcf67092536b8725b0639ea6decd94434060252 Mon Sep 17 00:00:00 2001 From: Caleb Thompson Date: Tue, 28 Apr 2026 12:54:09 -0700 Subject: [PATCH 3/3] update node driver version --- mflix/server/js-express/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mflix/server/js-express/package.json b/mflix/server/js-express/package.json index ae1e7d3..4d79a40 100644 --- a/mflix/server/js-express/package.json +++ b/mflix/server/js-express/package.json @@ -22,7 +22,7 @@ "cors": "^2.8.6", "dotenv": "^17.2.4", "express": "^5.2.1", - "mongodb": "^7.1.0", + "mongodb": "^7.2.0", "swagger-jsdoc": "^6.2.8", "swagger-ui-express": "^5.0.1", "winston": "^3.19.0"