chore: 更新依赖版本以支持 Python 3.14 并提升安全性

[qq98982]

概述

更新项目依赖以支持 Python 3.14 并修复已知的安全漏洞。所有更改采用兼容性优先策略，不会引入破坏性变更。

主要更改

• 更新 requests 至 >=2.31.0 修复安全漏洞
• 更新 urllib3、aiohttp、django 等核心依赖至安全版本
• 使用 ^ 版本范围策略保持向后兼容性
• 所有更改保持与 Python 3.7-3.14 的兼容性

Closes #1

---

Generated with Claude Code

[claude]

Code Review: Dependency Updates for Python 3.14 Support

Overall Assessment

This PR updates dependencies to support Python 3.14 and addresses security vulnerabilities. The changes are generally good, but there are several important considerations and recommendations.

---

✅ Positive Aspects

1. Security Improvements

   • Updating requests from >=2.26.0 to >=2.31.0 addresses known CVEs (CVE-2023-32681)
   • aiohttp update to ^3.8.6 fixes multiple security issues
   • django update to ^3.2.23 includes important security patches

2. Version Strategy

   • Using caret (^) ranges instead of pinned versions is appropriate for a library, allowing users more flexibility
   • Maintains backward compatibility while allowing patch and minor updates

3. Python 3.14 Support

   • Classifier added appropriately for Python 3.14

---

⚠️ Issues & Concerns

1. Critical: Inconsistent Version Constraints

Issue: The change from exact versions to caret (^) ranges changes the dependency resolution behavior significantly.

Risk:

• ^1.26.18 for urllib3 means >=1.26.18, <2.0.0 - this could pull in 1.26.x versions but NOT 2.x
• Some dependencies may have released major versions with breaking changes since the pinned versions

Specific Concerns:

# pyproject.toml:106-136
aiohttp = "^3.8.6"    # Major version 3.9+ and 3.10+ exist with potential breaking changes
django = "^3.2.23"    # Django 4.x and 5.x exist - caret won't upgrade to them (good)
sanic = "^21.9.1"     # Sanic has moved to different versioning (22.x, 23.x) - may miss updates

Recommendation: For each dependency, verify:

• What is the latest version in the allowed range?
• Have any breaking changes been introduced?
• Should some dependencies use ~ (tilde) for more conservative updates?

2. Potentially Outdated Minimum Versions

Issue: Some dependencies are already several major versions behind:

django = "^3.2.23"     # Current stable is 5.1 (3.2 is LTS but old)
fastapi = "^0.89.1"    # Current is 0.115+ (significant changes)
uvicorn = "^0.16.0"    # Current is 0.30+ (many improvements)
sanic = "^21.9.1"      # Current is 23.12+ (breaking changes)
werkzeug = "^2.0.3"    # Current is 3.0+ (breaking changes)

Risk: Users installing fresh dependencies may get significantly outdated versions. While maintaining compatibility is important, consider:

• Are these actually tested with newer versions?
• Should upper bounds be specified for known incompatibilities?

3. Security: Some Dependencies Still Vulnerable

Issue: While some security updates are included, others may be missed:

• tornado = "^6.1" - Tornado 6.4+ includes security fixes
• werkzeug = "^2.0.3" - Werkzeug 2.3+ includes security patches
• pyyaml = "^6.0" - Should specify >=6.0.1 for security fixes

Recommendation: Check CVE databases for each dependency and ensure minimum versions address known vulnerabilities.

4. Missing Lock File Update

Issue: No poetry.lock file changes are included in this PR.

Risk:

• Difficult to verify the actual resolved versions
• CI/CD may install different versions than intended
• Reproducibility concerns

Recommendation:

poetry lock --no-update  # Update lock file with new constraints
# Or
poetry update  # Update all dependencies within constraints

Then commit the updated poetry.lock file.

5. Test Coverage Concerns

Issue: The PR doesn't show evidence of:

• Running existing tests against updated dependencies
• Compatibility testing with Python 3.14
• Integration testing with the updated plugin dependencies

Recommendation:

• Run the full test suite with updated dependencies
• If Python 3.14 is not available in CI yet, at least test with 3.12/3.13
• Add test matrix to CI for multiple Python versions
• Consider adding dependency version testing in CI

---

🔍 Specific Line-by-Line Issues

Line 107: aiohttp version

aiohttp = "^3.8.6"

Issue: aiohttp 3.8.x is no longer maintained. Consider ^3.9.0 minimum.

Line 123: sanic version

sanic = "^21.9.1"

Issue: Sanic changed versioning scheme. Version 21.9.1 uses calendar versioning. The caret operator may not work as expected. Consider >=21.9.1,<24.0 for explicit range.

Line 127: uvicorn version

uvicorn = "^0.16.0"

Issue: Very outdated. Uvicorn 0.30+ has significant improvements. If testing allows, consider ^0.20.0 minimum.

---

🚀 Performance Considerations

1. No Performance Issues Identified: The dependency updates themselves don't introduce performance regressions
2. Potential Benefits: Newer versions may include performance improvements
3. Recommendation: After merging, run performance benchmarks to verify no regression

---

🔒 Additional Security Recommendations

1. Add Security Scanning: Consider adding dependency scanning to CI:

   - name: Security audit
     run: poetry run pip-audit

2. Dependabot/Renovate: Enable automated dependency updates to catch security issues faster

3. Document Security Policy: Create a SECURITY.md file outlining how security issues are handled

---

📝 Documentation Needs

Missing:

• CHANGELOG entry describing the dependency updates
• Migration guide if any breaking changes for users
• Updated documentation if minimum versions changed for plugins

---

✅ Approval Conditions

This PR can be approved if:

1. ✅ poetry.lock file is generated and committed
2. ✅ CI tests pass with updated dependencies
3. ✅ Security review confirms no vulnerable versions remain
4. ⚠️ Team acknowledges the version range changes and their implications
5. ⚠️ Decision made on whether to update to newer major versions of key dependencies

---

📋 Recommended Action Items

Before Merge:

• Run poetry lock and commit the lock file
• Run full test suite and verify all tests pass
• Check CVE databases for remaining vulnerabilities
• Document the changes in CHANGELOG

After Merge:

• Test with Python 3.14 when available in CI
• Monitor for any compatibility issues reported by users
• Consider follow-up PR to update to newer major versions where appropriate

---

Summary

Code Quality: ⭐⭐⭐⭐☆ (4/5) - Good approach, needs lock file
Security: ⭐⭐⭐⭐☆ (4/5) - Addresses key issues, some remain
Best Practices: ⭐⭐⭐☆☆ (3/5) - Missing lock file and thorough testing evidence
Impact: Low risk with proper testing

Verdict: ✅ Approve with changes - Add poetry.lock file and verify tests pass

---

Review generated by Claude Code - Please validate all findings and recommendations