fix: resolve Snyk HIGH/CRITICAL vulnerabilities in Python deps (May 2026)

[jcesarioatpeach]

Summary

• Upgraded 5 vulnerable Python packages (Authlib, gunicorn, PyJWT, sqlparse, httplib2) to fix 13 HIGH + 1 CRITICAL Snyk vulnerabilities
• Added setuptools>=70.0.0 pin to fix code injection HIGH vuln in build toolchain
• Fixed sqlparse.text_type → str in redash/query_runner/__init__.py (removed in sqlparse 0.5.0)
• Added Snyk ignore for werkzeug debugger RCE (debug-mode only; Flask 2.x incompatible with werkzeug 3.x)

Vulnerability Summary

Package	Before	After	Vulns Fixed
Authlib	0.15.5	1.6.9	1 CRITICAL + 6 HIGH (signature bypass, timing attack, fail-open, CSRF, DoS)
gunicorn	20.0.4	23.0.0	2 HIGH (HTTP request smuggling)
PyJWT	2.4.0	2.12.0	1 HIGH (improper signature verification)
sqlparse	0.4.4	0.5.4	2 HIGH (uncontrolled recursion + resource exhaustion)
httplib2	0.18.0	0.19.0	1 HIGH (ReDoS)
setuptools	(unbound)	>=70.0.0	1 HIGH (code injection)

Snyk ignored (with justification in .snyk):

• SNYK-PYTHON-WERKZEUG-6808933 — debugger RCE requires debug mode enabled (never in production); fix requires Werkzeug ≥3.0.3 which is incompatible with Flask 2.3.x (requires Flask 3.x upgrade)

Before / After

• Before: 0 CRITICAL, 16 HIGH
• After: 0 CRITICAL, 0 HIGH (snyk test --severity-threshold=high → ok: true)

Test Plan

• snyk test --severity-threshold=high → ok: true, 0 vulnerabilities
• Python syntax check on modified files passes
• sqlparse 0.5.4 API compatibility verified (FilterStack, StripCommentsFilter, utils.imt all present; text_type removed as expected)
• All new package imports verified (authlib 1.6.9 flask_client OAuth, gunicorn 23.0.0, pyjwt 2.12.0 RSAAlgorithm, httplib2 0.19.0)
• Full test suite requires Docker Compose (run in CI)

🤖 Generated with Claude Code