security: bump vulnerable dependencies to patched versions

[paigerube14]

Summary

Addresses open Dependabot/CVE alerts by updating transitive dependency pins in requirements.txt:

• kubernetes: ==34.1.0 → >=35.0.0 — kubernetes 35.0.0 relaxes the urllib3 upper bound, enabling urllib3 v2.x
• urllib3: >=2.1.0,<2.4.0 → >=2.6.3 — fixes 4 high/medium CVEs (decompression bombs via streaming API and redirect chain, redirect bypass when retries disabled)
• cryptography: >=42.0.4 → >=46.0.7 — fixes 3 CVEs (SECT curve subgroup attack, buffer overflow for non-contiguous buffers, incomplete DNS name constraint enforcement)

Known limitation

requests<2.32 remains unchanged — updating to >=2.33.0 requires upgrading docker from 6.x to 7.x (docker 6.x Unix socket transport breaks with requests 2.32+). That upgrade is tracked separately.

Test plan

• Verify pip install -r requirements.txt resolves without conflicts
• Run existing CI test suite to confirm no regressions from kubernetes 35.0.0

🤖 Generated with Claude Code

[qodo-code-review]

Review Summary by Qodo

Bump vulnerable dependencies to patched versions

🐞 Bug fix ✨ Enhancement

Walkthroughs

Description

• Updates kubernetes to >=35.0.0 to unlock urllib3 v2.x support
• Upgrades urllib3 to >=2.6.3 fixing decompression and redirect CVEs
• Bumps cryptography to >=46.0.7 addressing subgroup and buffer overflow CVEs
• Clarifies dependency constraints and upgrade path documentation

Diagram

flowchart LR
  A["kubernetes 34.1.0"] -->|upgrade to| B["kubernetes >=35.0.0"]
  B -->|unlocks| C["urllib3 >=2.6.3"]
  D["urllib3 2.1.0-2.4.0"] -->|upgrade to| C
  C -->|fixes CVEs| E["Decompression/Redirect"]
  F["cryptography 42.0.4"] -->|upgrade to| G["cryptography >=46.0.7"]
  G -->|fixes CVEs| H["Subgroup/Buffer/DNS"]

Loading

File Changes

1. requirements.txt 🐞 Bug fix +5/-5

Security dependency updates with CVE fixes

• Updated kubernetes from ==34.1.0 to >=35.0.0 to enable urllib3 v2.x compatibility
• Upgraded urllib3 from >=2.1.0,<2.4.0 to >=2.6.3 to fix CVEs (decompression bombs, redirect bypass)
• Bumped cryptography from >=42.0.4 to >=46.0.7 to address multiple CVEs (subgroup attack, buffer
 overflow, DNS constraints)
• Enhanced comments explaining dependency constraints and future upgrade path for requests/docker

requirements.txt

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (4) 📎 Requirement gaps (0)

1. docker not == pinned 📘 Rule violation ⚙ Maintainability

Description

requirements.txt specifies docker>=6.0,<7.0 (a range) instead of an exact == pin. This
violates the dependency pinning requirement and can lead to non-reproducible installs.

Code

requirements.txt[11]

+docker>=6.0,<7.0  # docker 7.0+ has breaking changes; upgrade to 7.x to allow requests>=2.33.0

Evidence

PR Compliance ID 455899 requires every dependency line in a modified requirements.txt to use an
exact == version pin (unless a documented exception exists). The changed docker requirement uses
>=/< instead of an exact == pin.

Rule 455899: Pin Python dependencies in requirements.txt to exact versions
requirements.txt[11-11]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`docker` is specified as a version range (`docker>=6.0,<7.0`) rather than an exact `==` pin, violating the repo requirement to pin Python dependencies exactly.

## Issue Context
This line was modified in this PR, so it must comply with exact pinning. Keep the `<7.0` constraint required by the separate docker constraint rule, but add an exact `==` pin (PEP 440 allows multiple specifiers).

## Fix Focus Areas
- requirements.txt[11-11]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. kubernetes not == pinned 📘 Rule violation ⚙ Maintainability

Description

requirements.txt specifies kubernetes>=35.0.0 instead of an exact == pin. This violates the
dependency pinning requirement and can cause dependency drift across installs.

Code

requirements.txt[19]

+kubernetes>=35.0.0

Evidence

PR Compliance ID 455899 requires exact == pins in modified requirements.txt lines. The changed
kubernetes requirement uses a lower-bound range (>=35.0.0) rather than an exact version.

Rule 455899: Pin Python dependencies in requirements.txt to exact versions
requirements.txt[19-19]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`kubernetes` is specified as `kubernetes>=35.0.0` rather than an exact `kubernetes==X.Y.Z` pin.

## Issue Context
This requirement was changed in the PR and must comply with exact pinning for reproducible builds.

## Fix Focus Areas
- requirements.txt[19-19]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. requests/urllib3 not pinned 📘 Rule violation ⚙ Maintainability

Description

requirements.txt specifies requests<2.32 and urllib3>=2.6.3 without exact == pins. This
violates the requirement to pin dependencies exactly and may produce different resolved versions
over time.

Code

requirements.txt[R30-32]

+requests<2.32  # requests 2.32+ breaks docker Unix socket support; blocked until docker>=7.0
requests-unixsocket>=0.4.0  # Required for Docker Unix socket support
-urllib3>=2.1.0,<2.4.0  # Compatible with all dependencies
+urllib3>=2.6.3  # CVE fixes; kubernetes>=35.0.0 allows urllib3>=2.x

Evidence

PR Compliance ID 455899 requires exact == pins for dependencies on modified lines. The updated
lines still use </>= specifiers for requests and urllib3 rather than exact versions.

Rule 455899: Pin Python dependencies in requirements.txt to exact versions
requirements.txt[30-32]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`requests` and `urllib3` are not pinned with `==` on modified lines (`requests<2.32`, `urllib3>=2.6.3`).

## Issue Context
When pinning `requests`, preserve the `<2.32` upper bound required by policy (you can use a combined specifier like `requests==<chosen_version>,<2.32`). For `urllib3`, choose a concrete patched version and pin with `==`.

## Fix Focus Areas
- requirements.txt[30-32]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

View more (1)

4. cryptography not == pinned 📘 Rule violation ⚙ Maintainability

Description

requirements.txt specifies cryptography>=46.0.7 instead of an exact == pin. This violates the
dependency pinning requirement and can lead to non-deterministic dependency resolution.

Code

requirements.txt[41]

+cryptography>=46.0.7 # pinned to avoid multiple CVEs (subgroup attack, buffer overflow, DNS constraints)

Evidence

PR Compliance ID 455899 requires exact == pins for dependencies on modified lines unless an
explicit exception is documented. The changed cryptography line uses a lower bound (>=46.0.7)
rather than an exact version pin.

Rule 455899: Pin Python dependencies in requirements.txt to exact versions
requirements.txt[41-41]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`cryptography` is specified as a minimum version (`cryptography>=46.0.7`) rather than an exact `==` pin.

## Issue Context
This requirement was changed in the PR and must be pinned exactly for reproducible builds.

## Fix Focus Areas
- requirements.txt[41-41]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

5. Docs dependency mismatch 🐞 Bug ⚙ Maintainability

Description

CLAUDE.md still documents kubernetes 34.1.0 while requirements.txt now allows kubernetes>=35.0.0, so
contributors following CLAUDE.md can end up with a different client version than the repo actually
installs/tests with.

Code

requirements.txt[19]

+kubernetes>=35.0.0

Evidence

The PR changes the Kubernetes client requirement to >=35.0.0, but the contributor guide still calls
out 34.1.0 explicitly as the key dependency version.

requirements.txt[18-21]
CLAUDE.md[44-53]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`CLAUDE.md` documents **kubernetes (34.1.0)**, but `requirements.txt` now specifies **kubernetes>=35.0.0**. This creates inconsistent setup guidance for contributors.

### Issue Context
CI and local setup instructions rely on `pip install -r requirements.txt`, so the docs should reflect the dependency versions/ranges actually being installed.

### Fix Focus Areas
- CLAUDE.md[44-53]
- requirements.txt[18-21]

### Suggested change
- Update the kubernetes bullet in `CLAUDE.md` to match the new requirement (e.g., `kubernetes (>=35.0.0)` or `kubernetes (35.x)`).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---