pacnpal/thrillwiki_django_no_react
1
1
Fork 0
mirror of https://github.com/pacnpal/thrillwiki_django_no_react.git synced 2026-02-05 07:45:18 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
acf2834d16a2186ddf34a2475a92f508d2253f9d
thrillwiki_django_no_react/backend/pyproject.toml
pacnpal 8a51cd5de7 security: Fix 17 Dependabot vulnerabilities 
## Security Patches Applied

### Critical
- **Django SQL injection via _connector keyword** (CVE-2024-xxxx)
  - Upgraded Django from 5.2.8 to 5.2.9

### High
- **urllib3 decompression-bomb safeguards bypassed** (streaming API)
  - Added explicit urllib3>=2.6.3 dependency
- **urllib3 streaming API improperly handles highly compressed data**
- **urllib3 unbounded links in decompression chain**
- **Django DoS in HttpResponseRedirect on Windows**
- **Django SQL injection in column aliases**

### Medium
- **django-allauth Okta/NetIQ mutable identifier** for authorization
  - Upgraded django-allauth from 65.9.0 to 65.13.0
- **django-allauth accepts tokens for inactive users**
- **Django DoS via XML serializer text extraction**
- **Django SQL injection in column aliases (additional fix)**
- **requests .netrc credentials leak via malicious URLs**
  - Upgraded requests from 2.32.3 to 2.32.4
- **Django Improper Output Neutralization for Logs**
- **Django DoS in strip_tags()**
- **Django DoS on Windows**
- **Django Allocation of Resources Without Limits**
- **Django IPv6 validation DoS**
- **Django SQL injection in HasKey on Oracle**
- **Django DoS in strip_tags() (additional fix)**

### Low
- **Django partial directory traversal via archives**

## Dependency Changes
- django: 5.2.8 -> 5.2.9
- django-allauth: 65.9.0 -> 65.13.1
- requests: 2.32.3 -> 2.32.5
- urllib3: (transitive) -> 2.6.3 (explicit)
2026-01-09 08:10:01 -05:00

210 lines
6.1 KiB
TOML
Raw Blame History

[project]
name = "thrillwiki"
version = "0.1.0"
readme = "README.md"
requires-python = ">=3.13"
dependencies = [
# =============================================================================
# Core Django
# =============================================================================
"django>=5.2.9",
"psycopg2-binary>=2.9.9",
"dj-database-url>=2.3.0",
"python-dotenv>=1.0.1",
"django-environ>=0.12.0",
"python-decouple>=3.8",
# =============================================================================
# Django REST Framework
# =============================================================================
"djangorestframework>=3.15.2",
"drf-spectacular>=0.28.0",
"django-cors-headers>=4.6.0",
"django-filter>=24.3",
# =============================================================================
# Authentication & Security
# =============================================================================
"django-allauth>=65.13.0",
"djangorestframework-simplejwt>=5.5.1",
"pyjwt>=2.10.1",
"cryptography>=44.0.0",
# =============================================================================
# Image Processing & Media
# =============================================================================
"Pillow>=10.4.0,<11.2",
"django-cleanup>=8.1.0",
"piexif>=1.1.3",
"django-cloudflareimages-toolkit>=1.0.6",
# =============================================================================
# Frontend Integration (HTMX, Templates)
# =============================================================================
"django-htmx>=1.20.0",
"django-htmx-autocomplete>=1.0.5",
"django-widget-tweaks>=1.5.0",
"django-tailwind-cli>=2.21.1",
"whitenoise>=6.8.0",
"rjsmin>=1.2.0",
"rcssmin>=1.1.0",
# =============================================================================
# Task Queue & Caching
# =============================================================================
"celery>=5.5.3,<6",
"django-celery-beat>=2.8.1",
"django-celery-results>=2.6.0",
"redis>=5.2.0",
"django-redis>=5.4.0",
"hiredis>=3.1.0",
# =============================================================================
# Database & History Tracking
# =============================================================================
"django-pghistory>=3.5.2",
"django-fsm-log>=3.1.0",
# =============================================================================
# Monitoring & Observability
# =============================================================================
"sentry-sdk>=2.20.0,<3",
"django-health-check>=3.17.0",
"python-json-logger>=2.0.7",
"psutil>=7.0.0",
"nplusone>=1.0.0",
# =============================================================================
# Utilities
# =============================================================================
"requests>=2.32.4",
"urllib3>=2.6.3",
"pycountry>=24.6.1",
"django-extensions>=4.1",
"werkzeug>=3.1.3",
"django-forwardemail>=1.0.0",
"django-turnstile>=0.1.2",
"fido2>=2.0.0",
"qrcode[pil]>=8.2",
"httpx>=0.28.1",
"django-fsm-2>=4.1.0",
"django-notifications-hq>=1.8.3",
"deepdiff>=8.0.0",
]
[dependency-groups]
dev = [
"autoflake>=2.3.1",
"autopep8>=2.3.2",
"black>=25.1.0",
"django-stubs>=5.2.2",
"rope>=1.14.0",
"ruff>=0.9.2",
"pyright>=1.1.405",
"factory-boy>=3.3.3",
]
test = [
"pytest>=8.3.5",
"pytest-django>=4.10.0",
"pytest-playwright>=0.6.2",
"playwright>=1.50.0",
"coverage>=7.9.2",
"factory-boy>=3.3.3",
"selenium>=4.15.0",
"axe-selenium-python>=2.1.6",
]
profiling = [
# Optional profiling tools - install with: uv sync --group profiling
"django-silk>=5.0.0",
"django-debug-toolbar>=4.0.0",
]
lint = [
"black>=25.1.0",
"flake8>=7.1.1",
"ruff>=0.9.2",
]
[tool.pyright]
stubPath = "stubs"
typeCheckingMode = "basic"
[tool.pylance]
stubPath = "stubs"
# =============================================================================
# Pytest Configuration
# =============================================================================
[tool.pytest.ini_options]
DJANGO_SETTINGS_MODULE = "config.django.test"
python_files = ["test_*.py", "*_test.py"]
python_classes = ["Test*"]
python_functions = ["test_*"]
addopts = [
"-v",
"--strict-markers",
"--tb=short",
]
markers = [
"unit: Unit tests (fast, isolated)",
"integration: Integration tests (may use database)",
"e2e: End-to-end browser tests (slow, requires server)",
"slow: Tests that take a long time to run",
"api: API endpoint tests",
]
filterwarnings = [
"ignore::DeprecationWarning",
"ignore::PendingDeprecationWarning",
]
# =============================================================================
# Coverage Configuration
# =============================================================================
[tool.coverage.run]
source = ["apps"]
branch = true
omit = [
"*/migrations/*",
"*/tests/*",
"*/__pycache__/*",
"*/admin.py",
"*/apps.py",
"manage.py",
"config/*",
]
parallel = true
[tool.coverage.report]
exclude_lines = [
"pragma: no cover",
"def __repr__",
"def __str__",
"raise AssertionError",
"raise NotImplementedError",
"if __name__ == .__main__.:",
"if TYPE_CHECKING:",
"if typing.TYPE_CHECKING:",
"@abstractmethod",
"@abc.abstractmethod",
]
show_missing = true
skip_covered = false
fail_under = 70
[tool.coverage.html]
directory = "htmlcov"
[tool.coverage.xml]
output = "coverage.xml"
[tool.uv.sources]
python-json-logger = { url = "https://github.com/nhairs/python-json-logger/releases/download/v3.0.0/python_json_logger-3.0.0-py3-none-any.whl" }
# =============================================================================
# Ruff Configuration
# =============================================================================
[tool.ruff]
line-length = 120
target-version = "py313"
[tool.ruff.lint]
select = ["E", "F", "W", "I", "UP", "B", "C4", "SIM"]
ignore = ["E501"]
[tool.ruff.lint.isort]
known-first-party = ["apps", "config", "thrillwiki"]
Reference in New Issue View Git Blame Copy Permalink