# Production runtime dependencies only
# This file is AUTO-GENERATED from requirements.txt
# DO NOT EDIT MANUALLY - run scripts/update-requirements-prod.py instead
#
# For development dependencies, see requirements.txt

# Capped below 16.0 because websockets 16.x dropped Python 3.9 wheels.

# OL9 / RHEL 9 / CentOS Stream 9 / Amazon Linux 2023 ship cp39 as the

# default python3, and the rpm's vendor dir relies on per-Python wheel

# downloads; a >=15.0.1 unbounded constraint resolved to 16.0, which has

# no cp39 wheel, leaving cp39 targets without a websockets install and

# crashing the agent with "No matching distribution". Bump the upper

# bound only when cp39 is dropped from the supported Python matrix.
websockets>=15.0.1,<16
PyYAML>=6.0.2
aiohttp>=3.13.5  # 20 CVEs across 3.12.x; 3.13.5 is latest patched (HTTP request smuggling, header injection)
cryptography>=48.0.0  # 3 CVEs in 45.0.7-47.x (buffer overflow + DNS name-constraint validation); 48.0.0 fixes them
psutil>=5.9.0
bcrypt>=4.0.0
aiofiles>=24.1.0

# defusedxml is used by package_collector_windows when parsing the

# Chocolatey API XML response — even though Chocolatey is a trusted

# endpoint, parsing untrusted XML via stdlib ``xml.etree`` is the

# pattern semgrep ``use-defused-xml`` (correctly) flags.  defusedxml

# rejects external-entity references + billion-laughs payloads.
defusedxml>=0.7.1

# python_multipart was briefly pinned here as defense-in-depth against

# the 0.0.20 DoS + form-parser-bypass CVE chain that affected the

# server.  Removed because:

#   1. ``pip download --python-version 3.9.21`` evaluates env markers

#      against the CI HOST's python (3.12), not the target — so a

#      ``; python_version >= '3.10'`` gate doesn't actually skip the

#      pin in the Python-3.9 wheel-download passes that the RPM

#      builder uses.  pip then can't find a 0.0.27+ wheel for cp39

#      (no such release exists) and the build fails.

#   2. The agent has no untrusted-form-parser surface, so the CVE

#      class doesn't reach it even if 0.0.20 lands transitively.

# If a future code change starts parsing multipart input on the

# agent, add the pin back AND split requirements per Python version.

# Database dependencies
SQLAlchemy>=2.0.43
alembic>=1.16.5

