Path traversal (cloud middleware): - Add _VALID_USER_ID_RE UUID regex; reject non-UUID user_id before constructing db path from CLOUD_DATA_ROOT / user_id / ... - Non-UUID values log a warning and fall through to unauthenticated path SSRF (test_email IMAP endpoint): - Add _is_ssrf_host() using ipaddress + socket.gethostbyname() - Checks resolved IP against RFC-1918, loopback, and link-local ranges - Fails closed on DNS resolution errors (returns True = blocked) Dependency security pins in environment.yml (transitive CVEs): - starlette>=1.0.1 (PYSEC-2026-161), python-multipart>=0.0.27 (CVE-2026-40347), aiohttp>=3.14.0, tornado>=6.5.5, cryptography>=46.0.7, langsmith>=0.8.0, gitpython>=3.1.50, lxml>=6.1.0, idna>=3.15, markdownify>=0.14.1 - Direct dep upgrades: requests>=2.33.0, pypdf>=6.12.0, python-dotenv>=1.2.2, PyJWT>=2.13.0, curl_cffi>=0.15.0 npm audit (web/package-lock.json): - Resolved 7 of 9 CVEs; 2 remaining esbuild CVEs require vite 8 upgrade (tracked as issue #123 — breaking change, deferred)
92 lines
4.4 KiB
YAML
92 lines
4.4 KiB
YAML
name: cf
|
|
# Recreate: conda env create -f environment.yml
|
|
# Update pinned snapshot: conda env export --no-builds > environment.yml
|
|
channels:
|
|
- conda-forge
|
|
- defaults
|
|
dependencies:
|
|
- python=3.12
|
|
- pip
|
|
- pip:
|
|
# ── Web UI ────────────────────────────────────────────────────────────────
|
|
- streamlit>=1.35
|
|
- watchdog # live reload
|
|
- reportlab>=4.0 # PDF cover letter export
|
|
- pandas>=2.0
|
|
- pyarrow # streamlit data tables
|
|
- streamlit-paste-button>=0.1.0
|
|
|
|
# ── Job scraping ──────────────────────────────────────────────────────────
|
|
- python-jobspy>=1.1
|
|
- playwright # browser automation (run: playwright install chromium)
|
|
- selenium
|
|
- undetected-chromedriver
|
|
- webdriver-manager
|
|
- beautifulsoup4
|
|
- requests>=2.33.0 # CVE-2026-25645
|
|
- curl_cffi>=0.15.0 # CVE-2026-33752
|
|
- fake-useragent # company scraper rotation
|
|
|
|
# ── LLM / AI backends ─────────────────────────────────────────────────────
|
|
- openai>=1.55.0,<2.0.0 # >=1.55 required for httpx 0.28 compat; <2.0 for langchain-openai
|
|
- anthropic>=0.80 # direct Anthropic API fallback
|
|
- ollama # Python client for Ollama management
|
|
- langchain>=0.2
|
|
- langchain-openai
|
|
- langchain-anthropic
|
|
- langchain-ollama
|
|
- langchain-community
|
|
- langchain-google-genai
|
|
- google-generativeai
|
|
- tiktoken
|
|
|
|
# ── Resume matching ───────────────────────────────────────────────────────
|
|
- scikit-learn>=1.3
|
|
- rapidfuzz
|
|
- lib-resume-builder-aihawk
|
|
|
|
# ── Notion integration ────────────────────────────────────────────────────
|
|
- notion-client>=3.0
|
|
|
|
# ── Calendar integrations ─────────────────────────────────────────────────
|
|
- caldav>=1.3
|
|
- icalendar>=5.0
|
|
- google-api-python-client>=2.0
|
|
- google-auth>=2.0
|
|
|
|
# ── Document handling ─────────────────────────────────────────────────────
|
|
- pypdf>=6.12.0 # 12 CVEs in 6.7.x (CVE-2026-27628 through CVE-2026-48156)
|
|
- pdfminer-six
|
|
- pyyaml>=6.0
|
|
- python-dotenv>=1.2.2 # CVE-2026-28684
|
|
|
|
# ── Auth / licensing ──────────────────────────────────────────────────────
|
|
- PyJWT>=2.13.0 # 2.11 has sig bypass CVEs (PYSEC-2026-120/175-179); used for cloud session routing
|
|
|
|
# ── Utilities ─────────────────────────────────────────────────────────────
|
|
- sqlalchemy
|
|
- tqdm
|
|
- loguru
|
|
- rich
|
|
- tenacity
|
|
- httpx
|
|
|
|
# ── Security pins (transitive deps with known CVEs) ───────────────────────
|
|
- starlette>=1.0.1 # PYSEC-2026-161 (FastAPI foundation)
|
|
- python-multipart>=0.0.27 # CVE-2026-40347/42561 file upload parsing
|
|
- aiohttp>=3.14.0 # 12 CVEs (CVE-2026-34513 through CVE-2026-34993)
|
|
- tornado>=6.5.5 # CVE-2026-35536
|
|
- cryptography>=46.0.7 # PYSEC-2026-35/36
|
|
- langsmith>=0.8.0 # CVE-2026-41182/45134
|
|
- gitpython>=3.1.50 # CVE-2026-42215/42284/44244
|
|
- lxml>=6.1.0 # PYSEC-2026-87 (XXE)
|
|
- idna>=3.15 # CVE-2026-45409
|
|
- markdownify>=0.14.1 # CVE-2025-46656
|
|
|
|
# ── Testing ───────────────────────────────────────────────────────────────
|
|
- pytest>=9.0
|
|
- pytest-cov
|
|
- pytest-mock
|
|
# Documentation
|
|
- mkdocs>=1.5
|
|
- mkdocs-material>=9.5
|