From 380931b1d5e21757340baaeff4b16f669574c67f Mon Sep 17 00:00:00 2001
From: Lucas Aquino Brentano <lucas.brentano@edu.pucrs.br>
Date: Mon, 1 Jun 2026 01:32:05 -0300
Subject: [PATCH] fix(security): corrigir vulnerabilidades do pip-audit
 (starlette, pytest)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Duas dependências falhavam no gate do pip-audit:

- starlette 0.49.1 -> 1.2.1: corrige PYSEC-2026-161 / CVE-2026-48710
  (BadHost — falta de validação do header Host envenena request.url.path).
  O fix só existe na linha 1.x; como o FastAPI 0.123 travava starlette<0.51,
  o FastAPI subiu para 0.136.3 (aceita starlette>=0.46).
- pytest 8.3.3 -> 9.0.3: corrige CVE-2025-71176 (diretório temporário
  previsível em UNIX). pytest-cov 5.0.0->7.1.0 e pytest-mock 3.14.0->3.15.1
  para compatibilidade com pytest 9.

Validado: pip-audit sem vulnerabilidades, 340/340 testes passando.

Também alinha backend/.coveragerc (fail_under 90 -> 80) com o CI
(--cov-fail-under=80) e o CLAUDE.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 backend/.coveragerc      |  2 +-
 backend/requirements.txt | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/backend/.coveragerc b/backend/.coveragerc
index cdc1d13..dbd608b 100644
--- a/backend/.coveragerc
+++ b/backend/.coveragerc
@@ -3,4 +3,4 @@ omit =
     alembic/*
 
 [report]
-fail_under = 90
+fail_under = 80
diff --git a/backend/requirements.txt b/backend/requirements.txt
index d1b376d..b23d6d9 100644
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
@@ -1,5 +1,5 @@
-fastapi==0.123.0
-starlette==0.49.1
+fastapi==0.136.3
+starlette==1.2.1
 uvicorn==0.30.6
 sqlalchemy==2.0.35
 alembic==1.13.3
@@ -10,9 +10,9 @@ passlib[bcrypt]==1.7.4
 bcrypt==4.0.1
 psycopg2-binary==2.9.10
 httpx==0.27.2
-pytest==8.3.3
-pytest-cov==5.0.0
-pytest-mock==3.14.0
+pytest==9.0.3
+pytest-cov==7.1.0
+pytest-mock==3.15.1
 ruff==0.6.9
 bandit==1.9.4
 pip-audit==2.10.0