From f7926724aa9dd1e6378fdd7a52a9d48f60296797 Mon Sep 17 00:00:00 2001 From: Jin Hai Date: Tue, 16 Dec 2025 13:31:45 +0800 Subject: [PATCH] Fix security issue (#11965) ### What problem does this PR solve? - CVE-2024-6866 - CVE-2024-6844 - CVE-2024-6839 ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue) Signed-off-by: Jin Hai --- pyproject.toml | 4 ++-- uv.lock | 11 ++++++----- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 5a28fa803..0f8a759fa 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -34,7 +34,7 @@ dependencies = [ "extract-msg>=0.39.0", "ffmpeg-python>=0.2.0", "flasgger>=0.9.7.1,<0.10.0", - "flask-cors==5.0.0", + "flask-cors==6.0.2", "flask-login==0.6.3", "flask-mail>=0.10.0", "flask-session==0.8.0", @@ -55,7 +55,7 @@ dependencies = [ "markdown==3.6", "markdown-to-json==2.1.1", "markdownify>=1.2.0", - "mcp>=1.9.4", + "mcp>=1.19.0", "mini-racer>=0.12.4,<0.13.0", "minio==7.2.4", "mistralai==0.4.2", diff --git a/uv.lock b/uv.lock index c65a6a47f..b3f5ebc67 100644 --- a/uv.lock +++ b/uv.lock @@ -1836,14 +1836,15 @@ wheels = [ [[package]] name = "flask-cors" -version = "5.0.0" +version = "6.0.2" source = { registry = "https://pypi.tuna.tsinghua.edu.cn/simple" } dependencies = [ { name = "flask" }, + { name = "werkzeug" }, ] -sdist = { url = "https://pypi.tuna.tsinghua.edu.cn/packages/4f/d0/d9e52b154e603b0faccc0b7c2ad36a764d8755ef4036acbf1582a67fb86b/flask_cors-5.0.0.tar.gz", hash = "sha256:5aadb4b950c4e93745034594d9f3ea6591f734bb3662e16e255ffbf5e89c88ef", size = 30954, upload-time = "2024-08-31T00:44:26.395Z" } +sdist = { url = "https://pypi.tuna.tsinghua.edu.cn/packages/70/74/0fc0fa68d62f21daef41017dafab19ef4b36551521260987eb3a5394c7ba/flask_cors-6.0.2.tar.gz", hash = "sha256:6e118f3698249ae33e429760db98ce032a8bf9913638d085ca0f4c5534ad2423", size = 13472, upload-time = "2025-12-12T20:31:42.861Z" } wheels = [ - { url = "https://pypi.tuna.tsinghua.edu.cn/packages/56/07/1afa0514c876282bebc1c9aee83c6bb98fe6415cf57b88d9b06e7e29bf9c/Flask_Cors-5.0.0-py2.py3-none-any.whl", hash = "sha256:b9e307d082a9261c100d8fb0ba909eec6a228ed1b60a8315fd85f783d61910bc", size = 14463, upload-time = "2024-08-31T00:44:24.394Z" }, + { url = "https://pypi.tuna.tsinghua.edu.cn/packages/4f/af/72ad54402e599152de6d067324c46fe6a4f531c7c65baf7e96c63db55eaf/flask_cors-6.0.2-py3-none-any.whl", hash = "sha256:e57544d415dfd7da89a9564e1e3a9e515042df76e12130641ca6f3f2f03b699a", size = 13257, upload-time = "2025-12-12T20:31:41.3Z" }, ] [[package]] @@ -6215,7 +6216,7 @@ requires-dist = [ { name = "extract-msg", specifier = ">=0.39.0" }, { name = "ffmpeg-python", specifier = ">=0.2.0" }, { name = "flasgger", specifier = ">=0.9.7.1,<0.10.0" }, - { name = "flask-cors", specifier = "==5.0.0" }, + { name = "flask-cors", specifier = "==6.0.2" }, { name = "flask-login", specifier = "==0.6.3" }, { name = "flask-mail", specifier = ">=0.10.0" }, { name = "flask-session", specifier = "==0.8.0" }, @@ -6236,7 +6237,7 @@ requires-dist = [ { name = "markdown", specifier = "==3.6" }, { name = "markdown-to-json", specifier = "==2.1.1" }, { name = "markdownify", specifier = ">=1.2.0" }, - { name = "mcp", specifier = ">=1.9.4" }, + { name = "mcp", specifier = ">=1.19.0" }, { name = "mini-racer", specifier = ">=0.12.4,<0.13.0" }, { name = "minio", specifier = "==7.2.4" }, { name = "mistralai", specifier = "==0.4.2" },