Merge pull request #662 from hackforla/dependabot/pip/api/cryptograph…

…y-42.0.4 build(deps-dev): bump cryptography from 41.0.7 to 42.0.4 in /api
hackforla · Jun 26, 2024 · 6451a89 · 6451a89
2 parents 37ae4b6 + b7d8735
commit 6451a89
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 5 deletions.
diff --git a/api/pyproject.toml b/api/pyproject.toml
@@ -127,10 +127,13 @@ dev = [
   # pip-tools provides the tools pip-compile and pip-sync to help manage requirements files
   "pip-tools",
 
+
+  # cryptography is a transitive dependency of moto, but we specify a minimum
+  # version since a known security vulnerability is present in < 42.0.4 
+  "cryptography>=42.0.4"
   "moto[cognitoidp]",
 
   "pytest-alembic==0.11.0",
-]
 
 # This defines the "prod" extra dependency group.
 # It installs dependencies necessary for running this API in production.

diff --git a/api/requirements-dev.txt b/api/requirements-dev.txt
@@ -56,13 +56,14 @@ coverage==7.3.0
     # via
     #   coverage
     #   pytest-cov
-cryptography==41.0.7
+cryptography==42.0.4
     # via
+    #   homeuniteus-api (pyproject.toml)
     #   moto
     #   python-jose
 distlib==0.3.7
     # via virtualenv
-ecdsa==0.18.0
+ecdsa==0.19.0
     # via
     #   moto
     #   python-jose
@@ -127,7 +128,9 @@ marshmallow==3.20.1
 marshmallow-sqlalchemy==1.0.0
     # via homeuniteus-api (pyproject.toml)
 moto==4.2.10
-    # via homeuniteus-api (pyproject.toml)
+    # via
+    #   homeuniteus-api (pyproject.toml)
+    #   moto
 openapi-schema-validator==0.6.0
     # via openapi-spec-validator
 openapi-spec-validator==0.6.0
@@ -157,7 +160,7 @@ prance==23.6.21.0
     # via homeuniteus-api (pyproject.toml)
 psycopg2-binary==2.9.5
     # via homeuniteus-api (pyproject.toml)
-pyasn1==0.5.1
+pyasn1==0.6.0
     # via
     #   python-jose
     #   rsa