From 9eb2803d04fba6218fbb191767c9ef049d2e5070 Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Tue, 16 Jun 2026 12:06:20 -0400
Subject: [PATCH] chore(deps): bump cryptography/python-multipart/starlette for
 CVEs

pip-audit flagged fixable advisories in the web stack:
- cryptography  -> >=48.0.1  (GHSA-537c-gmf6-5ccf)
- python-multipart -> >=0.0.31 (CVE-2026-53538/53539/53540)
- starlette (transitive via fastapi) -> add direct floor >=1.3.1
  (CVE-2026-48817/48818/54282/54283)

Venv synced to cryptography 49.0.0, python-multipart 0.0.32, starlette
1.3.1; full tests/api/ suite green against the bump. Also drops the stray
browser-use[core] dev dep (the browser-use skill uses a global CLI; the
package is imported nowhere in DECNET).
---
 pyproject.toml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index b1e74e39..398724af 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -24,6 +24,9 @@ dependencies = [
     "jinja2>=3.1",
     "fastapi>=0.110.0",
     "uvicorn>=0.29.0",
+    # Direct floor on starlette (transitive via fastapi) to require the fixes
+    # for CVE-2026-48817/48818/54282/54283.
+    "starlette>=1.3.1",
     "aiosqlite>=0.20.0",
     "asyncmy>=0.2.11",
     "PyJWT>=2.8.0",
@@ -33,8 +36,8 @@ dependencies = [
     "sqlmodel>=0.0.16",
     "scapy>=2.6.1",
     "orjson>=3.10",
-    "cryptography>=46.0.7",
-    "python-multipart>=0.0.20",
+    "cryptography>=48.0.1",
+    "python-multipart>=0.0.31",
     "httpx>=0.28.1",
     "requests>=2.33.1",
     "urllib3>=2.7.0",