peregrine/environment.yml
pyr0ball 3cdd14c345 fix(security): CVE mitigations — path traversal, SSRF, dep upgrades, npm audit
Path traversal (cloud middleware):
- Add _VALID_USER_ID_RE UUID regex; reject non-UUID user_id before
  constructing db path from CLOUD_DATA_ROOT / user_id / ...
- Non-UUID values log a warning and fall through to unauthenticated path

SSRF (test_email IMAP endpoint):
- Add _is_ssrf_host() using ipaddress + socket.gethostbyname()
- Checks resolved IP against RFC-1918, loopback, and link-local ranges
- Fails closed on DNS resolution errors (returns True = blocked)

Dependency security pins in environment.yml (transitive CVEs):
- starlette>=1.0.1 (PYSEC-2026-161), python-multipart>=0.0.27 (CVE-2026-40347),
  aiohttp>=3.14.0, tornado>=6.5.5, cryptography>=46.0.7, langsmith>=0.8.0,
  gitpython>=3.1.50, lxml>=6.1.0, idna>=3.15, markdownify>=0.14.1
- Direct dep upgrades: requests>=2.33.0, pypdf>=6.12.0, python-dotenv>=1.2.2,
  PyJWT>=2.13.0, curl_cffi>=0.15.0

npm audit (web/package-lock.json):
- Resolved 7 of 9 CVEs; 2 remaining esbuild CVEs require vite 8 upgrade
  (tracked as issue #123 — breaking change, deferred)
2026-06-14 12:16:00 -07:00

92 lines
4.4 KiB
YAML

name: cf
# Recreate: conda env create -f environment.yml
# Update pinned snapshot: conda env export --no-builds > environment.yml
channels:
- conda-forge
- defaults
dependencies:
- python=3.12
- pip
- pip:
# ── Web UI ────────────────────────────────────────────────────────────────
- streamlit>=1.35
- watchdog # live reload
- reportlab>=4.0 # PDF cover letter export
- pandas>=2.0
- pyarrow # streamlit data tables
- streamlit-paste-button>=0.1.0
# ── Job scraping ──────────────────────────────────────────────────────────
- python-jobspy>=1.1
- playwright # browser automation (run: playwright install chromium)
- selenium
- undetected-chromedriver
- webdriver-manager
- beautifulsoup4
- requests>=2.33.0 # CVE-2026-25645
- curl_cffi>=0.15.0 # CVE-2026-33752
- fake-useragent # company scraper rotation
# ── LLM / AI backends ─────────────────────────────────────────────────────
- openai>=1.55.0,<2.0.0 # >=1.55 required for httpx 0.28 compat; <2.0 for langchain-openai
- anthropic>=0.80 # direct Anthropic API fallback
- ollama # Python client for Ollama management
- langchain>=0.2
- langchain-openai
- langchain-anthropic
- langchain-ollama
- langchain-community
- langchain-google-genai
- google-generativeai
- tiktoken
# ── Resume matching ───────────────────────────────────────────────────────
- scikit-learn>=1.3
- rapidfuzz
- lib-resume-builder-aihawk
# ── Notion integration ────────────────────────────────────────────────────
- notion-client>=3.0
# ── Calendar integrations ─────────────────────────────────────────────────
- caldav>=1.3
- icalendar>=5.0
- google-api-python-client>=2.0
- google-auth>=2.0
# ── Document handling ─────────────────────────────────────────────────────
- pypdf>=6.12.0 # 12 CVEs in 6.7.x (CVE-2026-27628 through CVE-2026-48156)
- pdfminer-six
- pyyaml>=6.0
- python-dotenv>=1.2.2 # CVE-2026-28684
# ── Auth / licensing ──────────────────────────────────────────────────────
- PyJWT>=2.13.0 # 2.11 has sig bypass CVEs (PYSEC-2026-120/175-179); used for cloud session routing
# ── Utilities ─────────────────────────────────────────────────────────────
- sqlalchemy
- tqdm
- loguru
- rich
- tenacity
- httpx
# ── Security pins (transitive deps with known CVEs) ───────────────────────
- starlette>=1.0.1 # PYSEC-2026-161 (FastAPI foundation)
- python-multipart>=0.0.27 # CVE-2026-40347/42561 file upload parsing
- aiohttp>=3.14.0 # 12 CVEs (CVE-2026-34513 through CVE-2026-34993)
- tornado>=6.5.5 # CVE-2026-35536
- cryptography>=46.0.7 # PYSEC-2026-35/36
- langsmith>=0.8.0 # CVE-2026-41182/45134
- gitpython>=3.1.50 # CVE-2026-42215/42284/44244
- lxml>=6.1.0 # PYSEC-2026-87 (XXE)
- idna>=3.15 # CVE-2026-45409
- markdownify>=0.14.1 # CVE-2025-46656
# ── Testing ───────────────────────────────────────────────────────────────
- pytest>=9.0
- pytest-cov
- pytest-mock
# Documentation
- mkdocs>=1.5
- mkdocs-material>=9.5