# # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. # # Security: CVE-2026-21441 - decompression bomb bypass on redirects urllib3>=2.6.3,<3.0.0 # Security: CVE-2026-27199 - Windows device name handling in safe_join werkzeug>=3.1.6,<4.0.0 # Security: CVE-2025-68146 - TOCTOU symlink vulnerability filelock>=3.20.3,<4.0.0 # Security: decompression bomb fix (required by aiohttp 3.13.3) brotli>=1.2.0,<2.0.0 numexpr>=2.9.0 # Security: CVE-2026-34073 (MEDIUM) - Improper Certificate Validation cryptography>=49.0.0,<50.0.0 # Security: Snyk - XSS vulnerability in Mako templates mako>=1.3.11,<2.0.0 # Security: CVE-2024-52338 (CRITICAL) - Deserialization of untrusted data in IPC/Parquet readers pyarrow>=24.0.0,<25.0.0 # Security: CVE-2026-27459 - pyopenssl certificate validation pyopenssl>=26.0.0,<27.0.0 # Security: CVE-2026-25645 (MEDIUM) - Insecure Temporary File requests>=2.33.0,<3.0.0 # 5.0.0 has a sensitive deprecation used in other libs # -> https://github.com/aio-libs/async-timeout/blob/master/CHANGES.rst#500-2024-10-31 async_timeout>=4.0.0,<5.0.0 # Known issue with 6.7.0 breaking a unit test, probably easy to fix, but will require # a bit of attention to bump. apispec>=6.0.0,<6.7.0 # 1.4.1 introduced a memory regression that exhausts memory in the test suite # (https://github.com/marshmallow-code/marshmallow-sqlalchemy/issues/665). 1.4.2 # claimed a fix but did not address the root cause; only 1.5.0 actually fixes it. marshmallow-sqlalchemy>=1.5.0 # needed for python 3.12 support openapi-schema-validator>=0.6.3 # Pin setuptools <81 until all dependencies migrate from pkg_resources to importlib.metadata # pkg_resources is deprecated and will be removed in setuptools 81+ (around 2025-11-30) # Known affected packages: Preset's 'clients' package # See docs/docs/contributing/pkg-resources-migration.md for details setuptools<81 # google-auth 2.53+ dropped its transitive dependency on cachetools, which is # imported directly by superset.db_engine_specs.aws_iam. We declare cachetools # explicitly in pyproject.toml and pin google-auth to the post-drop range so # the install path is internally consistent (#40962). google-auth>=2.53.0,<3.0.0