[Arvion] Security remediation: Update SQLAlchemy to 2.0.43 and fix breaking changes

[arvion-bot-dev-felipe2]

Automated Security Remediation

📂 Files Modified

• setup.py

  • Updated versions of all dependencies in install_requires to the target versions. The python_requires was also changed from Python 2.7 to Python 3.8+ to match the requirements of the upgraded libraries.

• app/database.py

  • The file was updated to be compatible with SQLAlchemy 2.0. This involved updating the import for declarative_base, adding the future=True parameter to create_engine, and specifying column names explicitly in Column definitions. Consequently, the raw SQL query in get_user was updated to use the text() construct, which is required in SQLAlchemy 2.0 mode. A local variable was renamed to avoid a conflict with the imported text symbol. Additionally, Python 2-specific syntax such as the __unicode__ method, unicode type, and u"" string literals were updated to be compatible with Python 3, which is required by the upgraded dependencies.

---

🔄 Migrations Performed

requests 2.5.3 → 2.32.5

🔒 Vulnerabilities Fixed:

• [CVE-2024-47081]: Requests vulnerable to .netrc credentials leak via malicious URLs
• [CVE-2024-35195]: Requests Session object does not verify requests after making first request with verify=False
• [CVE-2023-32681]: Unintended leak of Proxy-Authorization header in requests
• [CVE-2015-2296]: Python Requests Session Fixation
• [CVE-2018-18074]: Insufficiently Protected Credentials in Requests

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

---

pyyaml 3.12 → 6.0.2

🔒 Vulnerabilities Fixed:

• [CVE-2020-14343]: Improper Input Validation in PyYAML
• [CVE-2017-18342]: PyYAML insecurely deserializes YAML strings leading to arbitrary code execution

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

---

flask 0.12.2 → 3.1.2

🔒 Vulnerabilities Fixed:

• [CVE-2018-1000656]: Flask is vulnerable to Denial of Service via incorrect encoding of JSON data
• [CVE-2019-1010083]: Pallets Project Flask is vulnerable to Denial of Service via Unexpected memory usage
• [CVE-2023-30861]: Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

---

jinja2 2.8 → 3.1.6

🔒 Vulnerabilities Fixed:

• [CVE-2019-10906]: Jinja2 sandbox escape via string formatting
• [CVE-2025-27516]: Jinja2 vulnerable to sandbox breakout through attr filter selecting format method
• [CVE-2020-28493]: Regular Expression Denial of Service (ReDoS) in Jinja2
• [CVE-2024-22195]: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
• [CVE-2024-34064]: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
• [CVE-2016-10745]: Jinja2 sandbox escape vulnerability
• [CVE-2024-56326]: Jinja has a sandbox breakout through indirect reference to format method

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

---

sqlalchemy 1.0.0 → 2.0.43

🔒 Vulnerabilities Fixed:

• [CVE-2019-7548]: SQLAlchemy is vulnerable to SQL Injection via group_by parameter
• [CVE-2019-7164]: SQLAlchemy vulnerable to SQL Injection via order_by parameter

⚠️ Breaking Changes Applied:

Symbol: sqlalchemy.ext.declarative.declarative_base

• The declarative_base function in sqlalchemy.ext.declarative has been updated. While the basic usage Base = declarative_base() remains syntactically similar, the internal implementation and accepted parameters have changed significantly. For SQLAlchemy 2.0 and later, it's advised to use sqlalchemy.orm.registry and generate_base() for a more modern and type-hint friendly declarative setup.

Symbol: sqlalchemy.Column

• The constructor signature for sqlalchemy.Column has been changed to Column(name: str, type_: TypeEngine, *arg: MappedArg, **kw: MappedKwarg). Previously, the type was often the first argument, and the name could be positional or a keyword argument. Now, name and type_ are strictly the first two positional arguments.

Symbol: sqlalchemy.create_engine

• The future parameter is now required for SQLAlchemy 2.0+.

---

urllib3 1.20 → 2.5.0

🔒 Vulnerabilities Fixed:

• [CVE-2024-37891]: urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects
• [CVE-2023-45803]: urllib3's request body not stripped after redirect from 303 status changes request method to GET
• [CVE-2018-25091]: Authorization Header forwarded on redirect
• [CVE-2019-11324]: Improper Certificate Validation in urllib3
• [CVE-2025-50181]: urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation
• [CVE-2019-11236]: Improper Neutralization of CRLF Sequences in urllib3 library for Python
• [CVE-2023-43804]: Cookie HTTP header isn't stripped on cross-origin redirects
• [CVE-2020-26137]: CRLF injection in urllib3
• [CVE-2018-20060]: Exposure of Sensitive Information to an Unauthorized Actor in urllib3
• [CVE-2021-33503]: An issue was discovered in urllib3 before 1.26.5. ...

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

---

werkzeug 0.11 → 3.1.3

🔒 Vulnerabilities Fixed:

• [CVE-2024-34069]: Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
• [CVE-2020-28724]: Open Redirect in werkzeug
• [CVE-2024-49766]: Werkzeug safe_join not safe on Windows
• [CVE-2019-14806]: Pallets Werkzeug Insufficient Entropy
• [CVE-2016-10516]: Pallets Werkzeug cross-site scripting vulnerability
• [CVE-2023-46136]: Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
• [CVE-2019-14322]: Pallets Werkzeug vulnerable to Path Traversal
• [CVE-2023-23934]: Incorrect parsing of nameless cookies leads to __Host- cookies bypass
• [CVE-2024-49767]: Werkzeug possible resource exhaustion when parsing file data in forms
• [CVE-2023-25577]: High resource usage when parsing multipart form data with many fields
• [CVE-2022-29361]: ** DISPUTED ** Improper parsing of HTTP requests i...

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

---

🛠️ Additional Notes

• Testing: Please ensure thorough testing after merging this PR to verify that all upgrades are compatible with your codebase.
• Documentation: For detailed vulnerability reports and release notes, refer to the security advisories.
• Support: For any questions or concerns, contact the Arvion Security Team at hello@arvion.ai.

---

📢 This PR was generated by Arvion's automated remediation system to enhance your repository's security while maintaining stability. 🚀