From 34384b982419b9fd51b254569dbfff0e5174a332 Mon Sep 17 00:00:00 2001
From: nelsoduarte <nelson.miguel.duarte@outlook.com>
Date: Thu, 18 Jun 2026 18:29:40 +0100
Subject: [PATCH] chore(deps): bump security pins (cryptography, urllib3, idna)

- cryptography>=48.0.1 closes GHSA-537c-gmf6-5ccf (signature verification
  bypass in legacy OpenSSL providers).
- urllib3>=2.7.0 covers PYSEC-2026-141, PYSEC-2026-142, and related
  request-smuggling / parsing advisories. Transitive via cryptography
  and requests.
- idna>=3.15 covers PYSEC-2026-215 (denial of service via crafted
  Punycode input). Transitive via urllib3.

pypdf CVEs (CVE-2026-49460/49461/54530/54531 + GHSA-jm82-fx9c-mx94)
are already addressed by the existing pypdf>=6.13.0 floor resolving
to 6.13.3+ in fresh CI installs.
---
 requirements.txt | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index bd2f8a4..a6913d8 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,6 +1,8 @@
 PySide6>=6.11.1
 pypdf>=6.13.0
-cryptography>=48.0.0
+# GHSA-537c-gmf6-5ccf: signature verification bypass in legacy OpenSSL
+# providers fixed in 48.0.1.
+cryptography>=48.0.1
 qtawesome>=1.4.1
 pillow>=12.1.1
 pymupdf>=1.27.2.3
@@ -15,4 +17,9 @@ ebooklib>=0.20
 # external entities by default, allowing crafted DOCX/PPTX/EPUB/PDF-XMP
 # files to read arbitrary local files).
 lxml>=6.1.0
+# Transitive of cryptography/requests; pinned to address advisories
+# PYSEC-2026-141 / 142 / GHSA series for urllib3 < 2.7.0.
+urllib3>=2.7.0
+# Transitive of urllib3/requests; PYSEC-2026-215 for idna < 3.15.
+idna>=3.15
 pyinstaller>=6.20.0