From 1e9d341476f7fa52d28b0db2e046566d21d19fab Mon Sep 17 00:00:00 2001
From: QuantBot <bot@example.com>
Date: Thu, 18 Jun 2026 11:33:07 +0800
Subject: [PATCH] security: upgrade audited backend dependencies

---
 docs/security/incident-2026-06-18-188-miner-triage.md | 1 +
 platform/backend/requirements.txt                     | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/security/incident-2026-06-18-188-miner-triage.md b/docs/security/incident-2026-06-18-188-miner-triage.md
index cedfd60..0284281 100644
--- a/docs/security/incident-2026-06-18-188-miner-triage.md
+++ b/docs/security/incident-2026-06-18-188-miner-triage.md
@@ -43,6 +43,7 @@
 - Gitea CD 移除會吞錯的 `|| true`，測試、lint、稽核失敗即停止部署。
 - Gitea CD 改用 `rsync --delete`，讓正式機同步清掉已從 repo 移除的高風險腳本。
 - Docker Compose 改成要求正式環境必須提供 `DB_PASSWORD`、`REDIS_PASSWORD`、`NEXTAUTH_SECRET`，不得再使用 `change_me` 類預設值。
+- 第一次 Gitea 安全閘門已阻擋部署，原因是 `pip-audit` 確認 `aiohttp 3.11.11` 與 FastAPI 間接依賴的 `starlette 0.41.3` 有已知弱點；已將後端依賴升級至 `fastapi 0.137.1` 與 `aiohttp 3.14.1`，讓部署必須先通過依賴弱點檢查。
 
 ## 後續必做事項
 
diff --git a/platform/backend/requirements.txt b/platform/backend/requirements.txt
index 392a057..346853b 100644
--- a/platform/backend/requirements.txt
+++ b/platform/backend/requirements.txt
@@ -1,8 +1,8 @@
-fastapi==0.115.6
+fastapi==0.137.1
 uvicorn==0.32.1
 redis==5.2.1
 pydantic==2.10.5
-aiohttp==3.11.11
+aiohttp==3.14.1
 asyncpg==0.30.0
 sqlalchemy[asyncio]==2.0.39
 pandas==2.2.3