chore(deps): bump cryptography/python-multipart/starlette for CVEs

pip-audit flagged fixable advisories in the web stack: - cryptography -> >=48.0.1 (GHSA-537c-gmf6-5ccf) - python-multipart -> >=0.0.31 (CVE-2026-53538/53539/53540) - starlette (transitive via fastapi) -> add direct floor >=1.3.1 (CVE-2026-48817/48818/54282/54283) Venv synced to cryptography 49.0.0, python-multipart 0.0.32, starlette 1.3.1; full tests/api/ suite green against the bump. Also drops the stray browser-use[core] dev dep (the browser-use skill uses a global CLI; the package is imported nowhere in DECNET).
2026-06-16 12:06:20 -04:00
parent 207494f41e
commit 9eb2803d04
1 changed files with 5 additions and 2 deletions
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -24,6 +24,9 @@ dependencies = [
    "jinja2>=3.1",
    "fastapi>=0.110.0",
    "uvicorn>=0.29.0",
+    # Direct floor on starlette (transitive via fastapi) to require the fixes
+    # for CVE-2026-48817/48818/54282/54283.
+    "starlette>=1.3.1",
    "aiosqlite>=0.20.0",
    "asyncmy>=0.2.11",
    "PyJWT>=2.8.0",
@@ -33,8 +36,8 @@ dependencies = [
    "sqlmodel>=0.0.16",
    "scapy>=2.6.1",
    "orjson>=3.10",
-    "cryptography>=46.0.7",
-    "python-multipart>=0.0.20",
+    "cryptography>=48.0.1",
+    "python-multipart>=0.0.31",
    "httpx>=0.28.1",
    "requests>=2.33.1",
    "urllib3>=2.7.0",