Sdk 2803 python upgrade dependencies to address security cv es core sdk examples

[mehmet-yoti]

Summary

Closes High-severity CVEs across the core SDK and all four example apps by upgrading shipped dependency pins.

Phases

Phase 1 — Core SDK low-risk bumps (31789b5)

setup.py install_requires and requirements.in:

Package	Before	After	Why
cryptography	>=42.0.0	>=44.0.1	CVE-2024-12797 bundled-OpenSSL
pyopenssl	>=24.0.0	>=26.0.0	High CVEs
requests	>=2.31.0	>=2.32.4	CVE-2024-47081 .netrc leak
urllib3	>=2.2.1	>=2.6.3	decompression / encoding / redirect CVEs
cffi	>=1.16.0	>=1.17.1	matches compiled pin
wheel	>=0.41.0	>=0.46.2	CVE-2026-24049
PyYAML	>=6.0	>=6.0.2	safe bump
wrapt	>=1.15.0	>=1.17.2	safe bump
itsdangerous	>=2.1.2	>=2.2.0	safe bump

requirements.txt regenerated via pip-compile --upgrade. Transitive consequences:

• certifi 2018.11.29 → 2026.4.22 (rogue-root advisories)
• idna 2.7 → 3.15 (CVE-2024-3651)

future package kept — verified runtime usage via from past.builtins import basestring in yoti_python_sdk/crypto.py and tests.

Phase 2 — Protobuf bump (6a49f45)

• protobuf==3.20.3 → protobuf>=4.25.8,<6 in setup.py and requirements.in. pip-compile resolves to 5.29.6, closing
  CVE-2025-4565 and CVE-2026-0994 (recursion DoS in google.protobuf).
• All 10 *_pb2.py files regenerated with protoc 3.21.12 from sdk-protobuf/proto/. Output now uses the
  _builder.BuildMessageAndEnumDescriptors API required by protobuf 4.x/5.x runtimes — the old _descriptor.FileDescriptor(...) style was
  incompatible with the new runtime.
• _pb2_grpc.py stubs are unused in this SDK and left untouched.

Wire format is stable 3.x ↔ 4.x ↔ 5.x, so consumer SDKs (Go 3.16.0, Java 4.0.0, .NET, PHP) do not need coordinated release.

Phase 3 — Example apps (38e32f8)

Example	Key bumps
aml	No .in edits; regenerated .txt picks up new core deps
doc_scan	flask 2→3.0.6, pyopenssl 23→26, deprecated/iso8601/pytz floors, click>=8.1
yoti_example_django	django 4.0.1 → 4.2 LTS (closes critical SQLi CVEs), urllib3/requests/cffi bumped, removed unused six,
added DEFAULT_AUTO_FIELD = BigAutoField to settings.py
yoti_example_flask	flask 1 → 3.0.6 (CVE-2023-30861), werkzeug 1 → 3.0.6 (request smuggling, debugger RCE, path traversal
CVEs), jinja2 → 3.1.6 (5 CVEs), pyopenssl/urllib3/requests bumped, explicit itsdangerous>=2.2.0, removed unused six

setup.py extras_require["examples"] aligned: Django>=4.2,<5.3, Flask>=3.0.6, Werkzeug>=3.0.6.

Verification

Unit tests (Python 3.9, /tmp/sdk2803-venv with local SDK installed via pip install -e .[dev]):

pytest yoti_python_sdk/tests/
→ 438 passed, 14 warnings in 2.67s

Example app boot tests:

Example	Test	Result
Django	manage.py check	System check identified no issues
Flask	import app	Flask app created cleanly
doc_scan	from doc_scan import app	Flask app created cleanly
aml	import resolution	OK (CLI app requires live credentials to fully run)

pip-audit against all 5 requirements.txt files: every High-severity advisory addressed in the audit is closed. The only remaining
findings (requests 2.32.5, urllib3 2.6.3, python-dotenv 1.2.1) have fix versions that have not yet been released to PyPI — they will be picked up via dependabot once published.

Out of scope

• The 3 unreleased upstream advisories above — periodic dependabot check will close them once fixes ship.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud