This is an automated email from the ASF dual-hosted git repository.
dpgaspar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/superset.git
The following commit(s) were added to refs/heads/master by this push:
new 5c4bf0f6ea6 fix(deps): bump Python dependencies to fix 7 security
vulnerabilities (#38447)
5c4bf0f6ea6 is described below
commit 5c4bf0f6ea673e7a11994359659afc3b547c3ea7
Author: Daniel Vaz Gaspar <[email protected]>
AuthorDate: Fri Mar 6 09:44:13 2026 +0000
fix(deps): bump Python dependencies to fix 7 security vulnerabilities
(#38447)
Co-authored-by: Claude Opus 4.6 <[email protected]>
---
requirements/base.in | 4 ++--
requirements/base.txt | 12 ++++++------
requirements/development.txt | 18 +++++++++---------
3 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/requirements/base.in b/requirements/base.in
index deca6a557b0..2d6100beab3 100644
--- a/requirements/base.in
+++ b/requirements/base.in
@@ -18,8 +18,8 @@
#
# Security: CVE-2026-21441 - decompression bomb bypass on redirects
urllib3>=2.6.3,<3.0.0
-# Security: GHSA-87hc-h4r5-73f7 - Windows path traversal fix
-werkzeug>=3.1.5,<4.0.0
+# Security: CVE-2026-27199 - Windows device name handling in safe_join
+werkzeug>=3.1.6,<4.0.0
# Security: CVE-2025-68146 - TOCTOU symlink vulnerability
filelock>=3.20.3,<4.0.0
# Security: decompression bomb fix (required by aiohttp 3.13.3)
diff --git a/requirements/base.txt b/requirements/base.txt
index 4b11bd95fc5..c37afda03f8 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -54,7 +54,7 @@ certifi==2025.6.15
# via
# requests
# selenium
-cffi==1.17.1
+cffi==2.0.0
# via
# cryptography
# pynacl
@@ -86,7 +86,7 @@ cron-descriptor==1.4.5
# via apache-superset (pyproject.toml)
croniter==6.0.0
# via apache-superset (pyproject.toml)
-cryptography==44.0.3
+cryptography==46.0.5
# via
# apache-superset (pyproject.toml)
# paramiko
@@ -219,7 +219,7 @@ markupsafe==3.0.2
# mako
# werkzeug
# wtforms
-marshmallow==3.26.1
+marshmallow==3.26.2
# via
# apache-superset (pyproject.toml)
# flask-appbuilder
@@ -317,9 +317,9 @@ pyjwt==2.10.1
# flask-appbuilder
# flask-jwt-extended
# redis
-pynacl==1.5.0
+pynacl==1.6.2
# via paramiko
-pyopenssl==25.1.0
+pyopenssl==25.3.0
# via shillelagh
pyparsing==3.2.3
# via apache-superset (pyproject.toml)
@@ -457,7 +457,7 @@ wcwidth==0.2.13
# via prompt-toolkit
websocket-client==1.8.0
# via selenium
-werkzeug==3.1.5
+werkzeug==3.1.6
# via
# -r requirements/base.in
# flask
diff --git a/requirements/development.txt b/requirements/development.txt
index 3cf0ee5b31a..e0a2b801182 100644
--- a/requirements/development.txt
+++ b/requirements/development.txt
@@ -48,7 +48,7 @@ attrs==25.3.0
# referencing
# requests-cache
# trio
-authlib==1.6.5
+authlib==1.6.7
# via fastmcp
babel==2.17.0
# via
@@ -115,7 +115,7 @@ certifi==2025.6.15
# httpx
# requests
# selenium
-cffi==1.17.1
+cffi==2.0.0
# via
# -c requirements/base-constraint.txt
# cryptography
@@ -177,7 +177,7 @@ croniter==6.0.0
# via
# -c requirements/base-constraint.txt
# apache-superset
-cryptography==44.0.3
+cryptography==46.0.5
# via
# -c requirements/base-constraint.txt
# apache-superset
@@ -526,7 +526,7 @@ markupsafe==3.0.2
# mako
# werkzeug
# wtforms
-marshmallow==3.26.1
+marshmallow==3.26.2
# via
# -c requirements/base-constraint.txt
# apache-superset
@@ -703,7 +703,7 @@ proto-plus==1.25.0
# via
# google-api-core
# google-cloud-bigquery-storage
-protobuf==4.25.5
+protobuf==4.25.8
# via
# google-api-core
# google-cloud-bigquery-storage
@@ -786,11 +786,11 @@ pyjwt==2.10.1
# redis
pylint==3.3.7
# via apache-superset
-pynacl==1.5.0
+pynacl==1.6.2
# via
# -c requirements/base-constraint.txt
# paramiko
-pyopenssl==25.1.0
+pyopenssl==25.3.0
# via
# -c requirements/base-constraint.txt
# shillelagh
@@ -1009,7 +1009,7 @@ sshtunnel==0.4.0
# via
# -c requirements/base-constraint.txt
# apache-superset
-starlette==0.48.0
+starlette==0.49.1
# via mcp
statsd==4.0.1
# via apache-superset
@@ -1111,7 +1111,7 @@ websocket-client==1.8.0
# selenium
websockets==15.0.1
# via fastmcp
-werkzeug==3.1.5
+werkzeug==3.1.6
# via
# -c requirements/base-constraint.txt
# flask
