Fix security issue (#11965)

### What problem does this PR solve? - CVE-2024-6866 - CVE-2024-6844 - CVE-2024-6839 ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue) Signed-off-by: Jin Hai <haijin.chn@gmail.com>
2025-12-26 17:16:52 +08:00 · 2025-12-16 13:31:45 +08:00
parent 5bba562048
commit f7926724aa
2 changed files with 8 additions and 7 deletions
--- a/pyproject.toml
+++ b/pyproject.toml
@ -34,7 +34,7 @@ dependencies = [
    "extract-msg>=0.39.0",
    "ffmpeg-python>=0.2.0",
    "flasgger>=0.9.7.1,<0.10.0",
-    "flask-cors==5.0.0",
+    "flask-cors==6.0.2",
    "flask-login==0.6.3",
    "flask-mail>=0.10.0",
    "flask-session==0.8.0",
@ -55,7 +55,7 @@ dependencies = [
    "markdown==3.6",
    "markdown-to-json==2.1.1",
    "markdownify>=1.2.0",
-    "mcp>=1.9.4",
+    "mcp>=1.19.0",
    "mini-racer>=0.12.4,<0.13.0",
    "minio==7.2.4",
    "mistralai==0.4.2",
--- a/uv.lock
+++ b/uv.lock
@ -1836,14 +1836,15 @@ wheels = [

 [[package]]
 name = "flask-cors"
-version = "5.0.0"
+version = "6.0.2"
 source = { registry = "https://pypi.tuna.tsinghua.edu.cn/simple" }
 dependencies = [
    { name = "flask" },
+    { name = "werkzeug" },
 ]
-sdist = { url = "https://pypi.tuna.tsinghua.edu.cn/packages/4f/d0/d9e52b154e603b0faccc0b7c2ad36a764d8755ef4036acbf1582a67fb86b/flask_cors-5.0.0.tar.gz", hash = "sha256:5aadb4b950c4e93745034594d9f3ea6591f734bb3662e16e255ffbf5e89c88ef", size = 30954, upload-time = "2024-08-31T00:44:26.395Z" }
+sdist = { url = "https://pypi.tuna.tsinghua.edu.cn/packages/70/74/0fc0fa68d62f21daef41017dafab19ef4b36551521260987eb3a5394c7ba/flask_cors-6.0.2.tar.gz", hash = "sha256:6e118f3698249ae33e429760db98ce032a8bf9913638d085ca0f4c5534ad2423", size = 13472, upload-time = "2025-12-12T20:31:42.861Z" }
 wheels = [
-    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/56/07/1afa0514c876282bebc1c9aee83c6bb98fe6415cf57b88d9b06e7e29bf9c/Flask_Cors-5.0.0-py2.py3-none-any.whl", hash = "sha256:b9e307d082a9261c100d8fb0ba909eec6a228ed1b60a8315fd85f783d61910bc", size = 14463, upload-time = "2024-08-31T00:44:24.394Z" },
+    { url = "https://pypi.tuna.tsinghua.edu.cn/packages/4f/af/72ad54402e599152de6d067324c46fe6a4f531c7c65baf7e96c63db55eaf/flask_cors-6.0.2-py3-none-any.whl", hash = "sha256:e57544d415dfd7da89a9564e1e3a9e515042df76e12130641ca6f3f2f03b699a", size = 13257, upload-time = "2025-12-12T20:31:41.3Z" },
 ]

 [[package]]
@ -6215,7 +6216,7 @@ requires-dist = [
    { name = "extract-msg", specifier = ">=0.39.0" },
    { name = "ffmpeg-python", specifier = ">=0.2.0" },
    { name = "flasgger", specifier = ">=0.9.7.1,<0.10.0" },
-    { name = "flask-cors", specifier = "==5.0.0" },
+    { name = "flask-cors", specifier = "==6.0.2" },
    { name = "flask-login", specifier = "==0.6.3" },
    { name = "flask-mail", specifier = ">=0.10.0" },
    { name = "flask-session", specifier = "==0.8.0" },
@ -6236,7 +6237,7 @@ requires-dist = [
    { name = "markdown", specifier = "==3.6" },
    { name = "markdown-to-json", specifier = "==2.1.1" },
    { name = "markdownify", specifier = ">=1.2.0" },
-    { name = "mcp", specifier = ">=1.9.4" },
+    { name = "mcp", specifier = ">=1.19.0" },
    { name = "mini-racer", specifier = ">=0.12.4,<0.13.0" },
    { name = "minio", specifier = "==7.2.4" },
    { name = "mistralai", specifier = "==0.4.2" },