requirements.txt

######################################################################
# SECURITY NOTE:
# All package versions are locked due to supply chain attacks (e.g. Shai-Hulud)
# See: https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem
# You may update versions to newer libraries as desired, but auto-picking versions
# is NOT allowed for security and stability reasons.
#
# Translation: Someone poisoned the npm well, so now we're paranoid about
# every fucking dependency. We pin every version number because trusting
# the Python package ecosystem is like trusting a crackhead with your wallet.
#
# Welcome to modern software development: where announcing Twitch streams
# requires 20+ dependencies and constant vigilance against supply chain attacks.
# The future is here, and it's exhausting.
######################################################################
twitchAPI==4.5.0
Mastodon.py==2.1.4
boto3==1.42.39
hvac==2.4.0
atproto==0.0.65
doppler-sdk==1.3.0
python-dotenv==1.2.1
google-api-python-client==2.188.0
google-genai==1.61.0
# CVE-2025-4565 fix: Requires protobuf >= 4.25.8 (v4), >= 5.29.5 (v5), or >= 6.31.1 (v6)
# Using v4 for compatibility; upgrade to v5/v6 requires testing
protobuf==6.33.5
# Ollama Python client for local LLM support
ollama==0.6.1
# CVE-2024-45590, CVE-2024-42473: Fixed in requests >= 2.32.2
# CVE-2024-6472: Fixed in requests >= 2.32.4
# Using latest stable version 2.32.5
requests==2.32.5
discord.py==2.7.0
matrix-nio==0.25.2
beautifulsoup4==4.14.3
# CVE-2024-5569: Infinite loop in zipp, fixed in >= 3.19.1
zipp==3.23.0
# CVE-2024-37891, CVE-2024-37080: Fixed in urllib3 >= 2.2.2
# CVE-2025-78866: Open redirect fixed in urllib3 >= 2.5.0
# Using latest stable v2.x (v1.26.19 is legacy Python 2.7 support)
urllib3==2.6.3
# pip symbolic link extraction vulnerability fix
# Ensures pip >= 24.2 for CVE fixes
pip==26.0
# Testing framework
pytest==9.0.2
pytest-asyncio==1.3.0
pytest-cov==7.0.0