Upgrade dependencies to fix CVEs (#1900)

hasys · web-flow · commit 5692228a1a33 · 2026-02-17T19:13:16.000+01:00
diff --git a/.github/workflows/pip_audit.yml b/.github/workflows/pip_audit.yml
@@ -76,3 +76,5 @@ jobs:
             GHSA-7gcm-g887-7qv7
             # Ignoring cryptography as it should be fixed by a RHEL RPM
             GHSA-r6ph-v2qm-q3c2
+            # Fix version of social-app-django 5.6.0 doesn't support Django 4.2
+            CVE-2025-61783
diff --git a/pyproject.toml b/pyproject.toml
@@ -88,18 +88,6 @@ wisdom-manage = "ansible_ai_connect.manage:main"
 constraint-dependencies = [
   # Use Red Hat's system-certifi for certificate handling
   'certifi @ git+https://github.com/ansible/system-certifi@5aa52ab91f9d579bfe52b5acf30ca799f1a563d9',
-  # Pin cryptography to address security vulnerabilities
-  'cryptography==43.0.1',
-  # Pin idna to address GHSA-jjg7-2v4v-x38h
-  'idna==3.7',
-  # Pin jsonpickle to address SNYK-PYTHON-JSONPICKLE-8136229
-  'jsonpickle==3.3.0',
-  # Pin pyjwt for compatibility
-  'pyjwt==2.8.0',
-  # Pin pyOpenSSL for compatibility
-  'pyOpenSSL==24.2.1',
-  # Pin sqlparse to address GHSA-2m57-hf25-phgg
-  'sqlparse~=0.5.5',
 ]
 
 
diff --git a/requirements.txt b/requirements.txt
@@ -86,7 +86,7 @@ colorama==0.4.6 ; sys_platform == 'win32'
     #   tqdm
 constantly==23.10.4
     # via twisted
-cryptography==43.0.1
+cryptography==46.0.5
     # via
     #   ansible-core
     #   autobahn
@@ -358,7 +358,7 @@ pyjwt==2.8.0
     # via
     #   django-ansible-base
     #   social-auth-core
-pyopenssl==24.2.1
+pyopenssl==25.3.0
     # via
     #   pydrive2
     #   twisted
@@ -481,6 +481,7 @@ typing-extensions==4.15.0
     #   psycopg
     #   pydantic
     #   pydantic-core
+    #   pyopenssl
     #   referencing
     #   twisted
     #   typing-inspection
diff --git a/uv.lock b/uv.lock
