darkhelm/notifications-admin
1
0
Fork 0
mirror of https://github.com/GSA/notifications-admin.git synced 2026-06-21 21:53:42 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
bf1548809566d2a162f46bb7547efda2a197bf39
notifications-admin/requirements.in
Chris Hill-Scott b74fcf2570 Bump WTForms and Flask-WTF to latest versions 
WTForms versions less than 3.0.0 have a security vulnerability where
arbitrary HTML can be inserted into the label of a form, allowing the
possibility of a cross-site scripting attack.

I don’t know if there’s anywhere we put user-generated content into form
labels but it’s possible we are vulnerable somewhere.

This require moving some imports because as of
https://github.com/wtforms/wtforms/pull/614/files
there is no longer a separate module for HTML 5 fields, they are now
considered core fields.

As of https://github.com/wtforms/wtforms/issues/445/files custom
implementations of `pre_validate` or `post_validate` must raise
`ValidationError` to trigger a validation message, where we were raising
`ValueError` this was no longer being caught.

As of https://github.com/wtforms/wtforms/pull/355/files `StringField`
returns `None` for empty data, not `''` but our `validate_email_address`
function only accepts strings.
2021-11-30 17:33:13 +00:00

45 lines
1.2 KiB
Plaintext
Raw Blame History

# Run `make freeze-requirements` to update requirements.txt
# with package version changes made in requirements-app.txt
ago==0.0.93
govuk-bank-holidays==0.8
humanize==3.12.0
Flask==1.1.2 # pyup: <2
Flask-WTF==1.0.0
wtforms==3.0.0
Flask-Login==0.5.0
werkzeug==2.0.2
jinja2==3.0.2
blinker==1.4
pyexcel==0.6.7
pyexcel-io==0.6.5
pyexcel-xls==0.7.0
pyexcel-xlsx==0.6.0
pyexcel-ods3==0.6.0
pytz==2021.3
gunicorn==20.1.0
eventlet==0.30.2 # pyup: ignore
notifications-python-client==6.3.0
Shapely==1.7.1
rtreelib==0.2.0
fido2==0.9.1
importlib-metadata==4.2.0
pyproj==3.2.1
# PaaS
awscli-cwlogs>=1.4,<1.5
itsdangerous==1.1.0 # pyup: <2
notifications-utils @ git+https://github.com/alphagov/notifications-utils.git@48.0.0
govuk-frontend-jinja @ git+https://github.com/alphagov/govuk-frontend-jinja.git@v0.5.8-alpha
# cryptography 3.4+ incorporates Rust code, which isn't supported on PaaS
# e.g. https://github.com/alphagov/notifications-api/pull/3126
cryptography<3.4 # pyup: ignore
# gds-metrics requires prometheseus 0.2.0, override that requirement as later versions bring significant performance gains
# version 0.10.0 introduced exceptions when workers crashed due to deprecating lower case `prometheus_multiproc_dir`.
prometheus-client>=0.9.0,!=0.10.0
gds-metrics==0.2.4
Reference in New Issue View Git Blame Copy Permalink