From 6fbeda223a252e1ed3dd7918c5dca3949e86287e Mon Sep 17 00:00:00 2001
From: Barbora Tutu <btutu@filuta.ai>
Date: Thu, 26 Mar 2026 14:06:28 +0100
Subject: [PATCH 1/6] chore: update python-multipart because of vulnerability

Co-authored-by: Junie <junie@jetbrains.com>
---
 requirements.txt                     | 2 +-
 setup.py                             | 2 +-
 src/filuta_fastapi_users/__init__.py | 2 +-
 tests/test_package.py                | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index 0b350dde..125bb5c5 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -6,5 +6,5 @@ passlib[bcrypt]==1.7.4
 pydantic>=2.0.0,<3.0.0
 pyjwt[crypto]==2.10.1
 python-dotenv==1.0.0
-python-multipart==0.0.19
+python-multipart==0.0.22
 sqlalchemy==2.0.20
diff --git a/setup.py b/setup.py
index a351cd45..47789b4a 100644
--- a/setup.py
+++ b/setup.py
@@ -27,7 +27,7 @@ def get_version(version_file: str) -> str:
         "passlib[bcrypt] ==1.7.4",
         "email-validator >=1.1.0,<2.1",
         "pyjwt[crypto] ==2.10.1",
-        "python-multipart ==0.0.19",
+        "python-multipart ==0.0.22",
         "makefun >=1.11.2,<2.0.0",
         "pydantic>=2.0.0,<3.0.0",
         "python-dotenv",
diff --git a/src/filuta_fastapi_users/__init__.py b/src/filuta_fastapi_users/__init__.py
index cd6b7bb5..ec772965 100644
--- a/src/filuta_fastapi_users/__init__.py
+++ b/src/filuta_fastapi_users/__init__.py
@@ -1,6 +1,6 @@
 """Ready-to-use and customizable users management for FastAPI."""
 
-__version__ = "12.1.1+9"
+__version__ = "12.1.1+10"
 
 from filuta_fastapi_users import models, schemas  # noqa: F401
 from filuta_fastapi_users.exceptions import InvalidID, InvalidPasswordException
diff --git a/tests/test_package.py b/tests/test_package.py
index 4755b84b..1a9f712d 100644
--- a/tests/test_package.py
+++ b/tests/test_package.py
@@ -6,7 +6,7 @@ def test_import() -> None:
 
 
 def test_version() -> None:
-    assert __version__ == "12.1.1+9"
+    assert __version__ == "12.1.1+10"
 
 
 def test_global_fixture(dummy_fixture: int) -> None:

From 8a62ce22bf8d523ff1b7f3c117a6e404339ac0d7 Mon Sep 17 00:00:00 2001
From: Barbora Tutu <btutu@filuta.ai>
Date: Thu, 26 Mar 2026 14:34:03 +0100
Subject: [PATCH 2/6] chore: add setuptools dependency to fix pkg_resources
 missing error and include missing httpx_oauth

---
 requirements.txt | 1 +
 setup.py         | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/requirements.txt b/requirements.txt
index 125bb5c5..b66a777b 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -8,3 +8,4 @@ pyjwt[crypto]==2.10.1
 python-dotenv==1.0.0
 python-multipart==0.0.22
 sqlalchemy==2.0.20
+setuptools
diff --git a/setup.py b/setup.py
index 47789b4a..7e854f71 100644
--- a/setup.py
+++ b/setup.py
@@ -32,6 +32,8 @@ def get_version(version_file: str) -> str:
         "pydantic>=2.0.0,<3.0.0",
         "python-dotenv",
         "sqlalchemy",
+        "setuptools",
+        "httpx_oauth >=0.13.0",
     ],
     classifiers=[
         "License :: OSI Approved :: MIT License",

From 2a21c49ffc8ee4b28dd85b92fc5ca4d5fd08acae Mon Sep 17 00:00:00 2001
From: Barbora Tutu <btutu@filuta.ai>
Date: Thu, 26 Mar 2026 14:54:59 +0100
Subject: [PATCH 3/6] chore: add setuptools dependency to resolve pkg_resources
 missing error in tox docs build

Co-authored-by: Junie <junie@jetbrains.com>
---
 requirements-dev.txt | 1 +
 tox.ini              | 1 +
 2 files changed, 2 insertions(+)

diff --git a/requirements-dev.txt b/requirements-dev.txt
index bae1d858..f41c869a 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -1,4 +1,5 @@
 -e .
+setuptools
 artifacts-keyring
 black
 build
diff --git a/tox.ini b/tox.ini
index c2466ee7..1ec5f430 100644
--- a/tox.ini
+++ b/tox.ini
@@ -38,6 +38,7 @@ commands = safety check --full-report -r {toxinidir}/requirements.txt \
 [testenv:docs]
 description = generate documentation in html and doctest
 deps =
+    setuptools
     -rrequirements-dev.txt
 commands =
     sphinx-build -W -b html -j auto "docs/source" "docs/build/html"

From 3ce45f778a419cd98df9858ba5691333794906ac Mon Sep 17 00:00:00 2001
From: Barbora Tutu <btutu@filuta.ai>
Date: Thu, 26 Mar 2026 15:37:16 +0100
Subject: [PATCH 4/6] chore: replace passlib.pwd with secrets to remove
 pkg_resources dependency and clean up setuptools

Co-authored-by: Junie <junie@jetbrains.com>
---
 requirements-dev.txt                 | 1 -
 requirements.txt                     | 1 -
 setup.py                             | 2 --
 src/filuta_fastapi_users/password.py | 5 ++---
 tox.ini                              | 1 -
 5 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/requirements-dev.txt b/requirements-dev.txt
index f41c869a..bae1d858 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -1,5 +1,4 @@
 -e .
-setuptools
 artifacts-keyring
 black
 build
diff --git a/requirements.txt b/requirements.txt
index b66a777b..125bb5c5 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -8,4 +8,3 @@ pyjwt[crypto]==2.10.1
 python-dotenv==1.0.0
 python-multipart==0.0.22
 sqlalchemy==2.0.20
-setuptools
diff --git a/setup.py b/setup.py
index 7e854f71..47789b4a 100644
--- a/setup.py
+++ b/setup.py
@@ -32,8 +32,6 @@ def get_version(version_file: str) -> str:
         "pydantic>=2.0.0,<3.0.0",
         "python-dotenv",
         "sqlalchemy",
-        "setuptools",
-        "httpx_oauth >=0.13.0",
     ],
     classifiers=[
         "License :: OSI Approved :: MIT License",
diff --git a/src/filuta_fastapi_users/password.py b/src/filuta_fastapi_users/password.py
index 89b26e3b..3a12bb8f 100644
--- a/src/filuta_fastapi_users/password.py
+++ b/src/filuta_fastapi_users/password.py
@@ -1,6 +1,5 @@
+import secrets
 from typing import Protocol
-
-from passlib import pwd
 from passlib.context import CryptContext
 
 
@@ -29,4 +28,4 @@ def hash(self, password: str) -> str:
         return self.context.hash(password)
 
     def generate(self) -> str:
-        return pwd.genword()
+        return secrets.token_urlsafe(32)
diff --git a/tox.ini b/tox.ini
index 1ec5f430..c2466ee7 100644
--- a/tox.ini
+++ b/tox.ini
@@ -38,7 +38,6 @@ commands = safety check --full-report -r {toxinidir}/requirements.txt \
 [testenv:docs]
 description = generate documentation in html and doctest
 deps =
-    setuptools
     -rrequirements-dev.txt
 commands =
     sphinx-build -W -b html -j auto "docs/source" "docs/build/html"

From 5652e513c1c88cdfe262ffa8b92cf3358b7ce5b1 Mon Sep 17 00:00:00 2001
From: Barbora Tutu <btutu@filuta.ai>
Date: Thu, 26 Mar 2026 15:52:59 +0100
Subject: [PATCH 5/6] style: fix ruff/isort formatting in password.py

---
 src/filuta_fastapi_users/password.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/filuta_fastapi_users/password.py b/src/filuta_fastapi_users/password.py
index 3a12bb8f..f768ce65 100644
--- a/src/filuta_fastapi_users/password.py
+++ b/src/filuta_fastapi_users/password.py
@@ -1,5 +1,6 @@
 import secrets
 from typing import Protocol
+
 from passlib.context import CryptContext
 
 

From 2b724769469c475359ffc9ffb4417ef3372d6b75 Mon Sep 17 00:00:00 2001
From: Barbora Tutu <btutu@filuta.ai>
Date: Thu, 26 Mar 2026 15:54:34 +0100
Subject: [PATCH 6/6] chore: update bandit pre-commit hook to 1.7.10 to fix pbr
 ModuleNotFoundError

---
 .pre-commit-config.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index ab8ffdb8..27699473 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -39,7 +39,7 @@ repos:
     hooks:
       - id: ruff
 -   repo: https://github.com/PyCQA/bandit
-    rev: 1.7.5
+    rev: 1.7.10
     hooks:
     -   id: bandit
         exclude: tests/.*$