[Arvion] Security remediation: Upgrade dependencies and apply SQLAlchemy 2.0 migrations

[arvion-bot-dev-felipe2]

Automated Security Remediation

📂 Files Modified

• setup.py

  • Updated dependency versions in setup.py to the target versions specified in the migration plan. The python_requires was updated to '>=3.8' to be compatible with the new versions of upgraded libraries like PyYAML, Jinja2, SQLAlchemy, urllib3, and Werkzeug.

• app/database.py

  • Updated the SQLAlchemy usage to be compatible with version 2.0. The declarative_base factory function from sqlalchemy.ext.declarative has been replaced with the DeclarativeBase class from sqlalchemy.orm. The create_engine call was updated to include the future=True parameter, which enables 2.0 style execution.

---

🔄 Migrations Performed

requests 2.5.3 → 2.32.5

🔒 Vulnerabilities Fixed:

• [CVE-2024-47081]: Requests vulnerable to .netrc credentials leak via malicious URLs
• [CVE-2024-35195]: Requests Session object does not verify requests after making first request with verify=False
• [CVE-2023-32681]: Unintended leak of Proxy-Authorization header in requests
• [CVE-2015-2296]: Python Requests Session Fixation
• [CVE-2018-18074]: Insufficiently Protected Credentials in Requests

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

---

pyyaml 3.12 → 6.0.3

🔒 Vulnerabilities Fixed:

• [CVE-2020-14343]: Improper Input Validation in PyYAML
• [CVE-2017-18342]: PyYAML insecurely deserializes YAML strings leading to arbitrary code execution

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

---

flask 0.12.2 → 3.1.2

🔒 Vulnerabilities Fixed:

• [CVE-2018-1000656]: Flask is vulnerable to Denial of Service via incorrect encoding of JSON data
• [CVE-2019-1010083]: Pallets Project Flask is vulnerable to Denial of Service via Unexpected memory usage
• [CVE-2023-30861]: Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

---

jinja2 2.8 → 3.1.6

🔒 Vulnerabilities Fixed:

• [CVE-2019-10906]: Jinja2 sandbox escape via string formatting
• [CVE-2025-27516]: Jinja2 vulnerable to sandbox breakout through attr filter selecting format method
• [CVE-2020-28493]: Regular Expression Denial of Service (ReDoS) in Jinja2
• [CVE-2024-22195]: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
• [CVE-2024-34064]: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
• [CVE-2016-10745]: Jinja2 sandbox escape vulnerability
• [CVE-2024-56326]: Jinja has a sandbox breakout through indirect reference to format method

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

---

sqlalchemy 1.0.0 → 2.0.43

🔒 Vulnerabilities Fixed:

• [CVE-2019-7548]: SQLAlchemy is vulnerable to SQL Injection via group_by parameter
• [CVE-2019-7164]: SQLAlchemy vulnerable to SQL Injection via order_by parameter

⚠️ Breaking Changes Applied:

Symbol: sqlalchemy.ext.declarative.declarative_base

• The declarative_base function has been removed in SQLAlchemy 2.0.

Symbol: sqlalchemy.create_engine

• The future parameter has been added to create_engine and is required for SQLAlchemy 2.0 style.

---

urllib3 1.20 → 2.5.0

🔒 Vulnerabilities Fixed:

• [CVE-2024-37891]: urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects
• [CVE-2023-45803]: urllib3's request body not stripped after redirect from 303 status changes request method to GET
• [CVE-2018-25091]: Authorization Header forwarded on redirect
• [CVE-2019-11324]: Improper Certificate Validation in urllib3
• [CVE-2025-50181]: urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation
• [CVE-2019-11236]: Improper Neutralization of CRLF Sequences in urllib3 library for Python
• [CVE-2023-43804]: Cookie HTTP header isn't stripped on cross-origin redirects
• [CVE-2020-26137]: CRLF injection in urllib3
• [CVE-2018-20060]: Exposure of Sensitive Information to an Unauthorized Actor in urllib3
• [CVE-2021-33503]: An issue was discovered in urllib3 before 1.26.5. ...

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

---

werkzeug 0.11 → 3.1.3

🔒 Vulnerabilities Fixed:

• [CVE-2024-34069]: Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
• [CVE-2020-28724]: Open Redirect in werkzeug
• [CVE-2024-49766]: Werkzeug safe_join not safe on Windows
• [CVE-2019-14806]: Pallets Werkzeug Insufficient Entropy
• [CVE-2016-10516]: Pallets Werkzeug cross-site scripting vulnerability
• [CVE-2023-46136]: Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
• [CVE-2019-14322]: Pallets Werkzeug vulnerable to Path Traversal
• [CVE-2023-23934]: Incorrect parsing of nameless cookies leads to __Host- cookies bypass
• [CVE-2024-49767]: Werkzeug possible resource exhaustion when parsing file data in forms
• [CVE-2023-25577]: High resource usage when parsing multipart form data with many fields
• [CVE-2022-29361]: ** DISPUTED ** Improper parsing of HTTP requests i...

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

---

🛠️ Additional Notes

• Testing: Please ensure thorough testing after merging this PR to verify that all upgrades are compatible with your codebase.
• Documentation: For detailed vulnerability reports and release notes, refer to the security advisories.
• Support: For any questions or concerns, contact the Arvion Security Team at hello@arvion.ai.

---

📢 This PR was generated by Arvion's automated remediation system to enhance your repository's security while maintaining stability. 🚀