wooo/2026FIFAWorldCup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: upgrade audited backend dependencies
Some checks failed
2026 World Cup Quant Platform - Production Deployment / Code Quality, Security Gate & Testing (push) Failing after 3m12s
Details
2026 World Cup Quant Platform - Production Deployment / Deploy to Production VM via Gitea CD (push) Has been cancelled
Details

Browse Source
This commit is contained in:
QuantBot
2026-06-18 11:33:07 +08:00
parent 076b5c1bc3
commit 1e9d341476
2 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/security/incident-2026-06-18-188-miner-triage.md
View File

@@ -43,6 +43,7 @@
- Gitea CD 移除會吞錯的 `|| true`測試、lint、稽核失敗即停止部署。
- Gitea CD 改用 `rsync --delete`,讓正式機同步清掉已從 repo 移除的高風險腳本。
- Docker Compose 改成要求正式環境必須提供 `DB_PASSWORD``REDIS_PASSWORD``NEXTAUTH_SECRET`,不得再使用 `change_me` 類預設值。
- 第一次 Gitea 安全閘門已阻擋部署,原因是 `pip-audit` 確認 `aiohttp 3.11.11` 與 FastAPI 間接依賴的 `starlette 0.41.3` 有已知弱點;已將後端依賴升級至 `fastapi 0.137.1``aiohttp 3.14.1`,讓部署必須先通過依賴弱點檢查。
## 後續必做事項

4
platform/backend/requirements.txt
View File

@@ -1,8 +1,8 @@
fastapi==0.115.6
fastapi==0.137.1
uvicorn==0.32.1
redis==5.2.1
pydantic==2.10.5
aiohttp==3.11.11
aiohttp==3.14.1
asyncpg==0.30.0
sqlalchemy[asyncio]==2.0.39
pandas==2.2.3