[Security][API] Runtime Python dependencies still contain known CVEs after baseline upgrades #767
Description
Contact Details
security-automation@local
This bug is related to UI or API?
API
What happened?
After upgrading multiple dependencies, pip-audit still reports vulnerabilities in core runtime packages requiring major-version framework alignment.
Current scan snapshot:
- before: 30 vulnerabilities
- after baseline patch: 14 vulnerabilities
Remaining vulnerable packages:
- flask 2.2.5 (fix: 3.1.3)
- flask-cors 4.0.2 (fix: 6.0.0)
- werkzeug 2.3.8 (fix: 3.1.6)
- urllib3 1.26.20 (fix: 2.6.3)
Expected behavior:
- Provide a staged framework upgrade plan (Flask/Werkzeug/urllib3 compatibility matrix)
- Add regression tests for auth/upload/request path behavior before major upgrades
Reference branch/commit (baseline upgrades already applied):
- Branch:
codex/sec-python-rescan-20260308 - Commit:
68ce5d36c
Version
newest
What browsers are you seeing the problem on?
Chrome
Relevant log output
pip-audit summary after baseline:
Found 14 known vulnerabilities in 4 packages.