update python and dependencies

Signed-off-by: MrScarySpaceCat <me@mrscaryspacecat.dev>

Author: MrScarySpaceCat

.github/workflows/docker-publish.yml

@@ -1,10 +1,5 @@
 name: Docker
 
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
 on:
     push:
         branches: ["master"]
@@ -25,70 +20,50 @@ jobs:
         permissions:
             contents: read
             packages: write
-            # This is used to complete the identity challenge
-            # with sigstore/fulcio when running outside of PRs.
             id-token: write
 
         steps:
-            - name: Checkout repository
-              uses: actions/checkout@v4
-
-            # Install the cosign tool except on PR
-            # https://github.com/sigstore/cosign-installer
-            - name: Install cosign
-              if: github.event_name != 'pull_request'
-              uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
-              with:
-                  cosign-release: "v2.2.4"
-
-            # Set up BuildKit Docker container builder to be able to build
-            # multi-platform images and export cache
-            # https://github.com/docker/setup-buildx-action
-            - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
-
-            # Login against a Docker registry except on PR
-            # https://github.com/docker/login-action
-            - name: Log into registry ${{ env.REGISTRY }}
-              if: github.event_name != 'pull_request'
-              uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
-              with:
-                  registry: ${{ env.REGISTRY }}
-                  username: ${{ github.actor }}
-                  password: ${{ secrets.GITHUB_TOKEN }}
-
-            # Extract metadata (tags, labels) for Docker
-            # https://github.com/docker/metadata-action
-            - name: Extract Docker metadata
-              id: meta
-              uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
-              with:
-                  images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+            -   name: Checkout repository
+                uses: actions/checkout@v6.0.2
+                
+            -   name: Install cosign
+                if: github.event_name != 'pull_request'
+                uses: sigstore/cosign-installer@v4.1.1
 
-            # Build and push Docker image with Buildx (don't push on PR)
-            # https://github.com/docker/build-push-action
-            - name: Build and push Docker image
-              id: build-and-push
-              uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
-              with:
-                  context: .
-                  push: ${{ github.event_name != 'pull_request' }}
-                  tags: ${{ steps.meta.outputs.tags }}
-                  labels: ${{ steps.meta.outputs.labels }}
-                  cache-from: type=gha
-                  cache-to: type=gha,mode=max
+            -   name: Set up QEMU
+                uses: docker/setup-qemu-action@v4.0.0
 
-            # Sign the resulting Docker image digest except on PRs.
-            # This will only write to the public Rekor transparency log when the Docker
-            # repository is public to avoid leaking data.  If you would like to publish
-            # transparency data even for private images, pass --force to cosign below.
-            # https://github.com/sigstore/cosign
-            - name: Sign the published Docker image
-              if: ${{ github.event_name != 'pull_request' }}
-              env:
-                  # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
-                  TAGS: ${{ steps.meta.outputs.tags }}
-                  DIGEST: ${{ steps.build-and-push.outputs.digest }}
-              # This step uses the identity token to provision an ephemeral certificate
-              # against the sigstore community Fulcio instance.
-              run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+            -   name: Set up Docker Buildx
+                uses: docker/setup-buildx-action@v4.0.0
+                
+            -   name: Log into registry ${{ env.REGISTRY }}
+                if: github.event_name != 'pull_request'
+                uses: docker/login-action@v4.0.0
+                with:
+                    registry: ${{ env.REGISTRY }}
+                    username: ${{ github.actor }}
+                    password: ${{ secrets.GITHUB_TOKEN }}
+                    
+            -   name: Extract Docker metadata
+                id: meta
+                uses: docker/metadata-action@v6.0.0 # v5.0.0
+                with:
+                    images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+                    
+            -   name: Build and push Docker image
+                id: build-and-push
+                uses: docker/build-push-action@v7.0.0
+                with:
+                    context: .
+                    push: ${{ github.event_name != 'pull_request' }}
+                    tags: ${{ steps.meta.outputs.tags }}
+                    labels: ${{ steps.meta.outputs.labels }}
+                    cache-from: type=gha
+                    cache-to: type=gha,mode=max
+                    
+            -   name: Sign the published Docker image
+                if: ${{ github.event_name != 'pull_request' }}
+                env:
+                    TAGS: ${{ steps.meta.outputs.tags }}
+                    DIGEST: ${{ steps.build-and-push.outputs.digest }}
+                run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}

Dockerfile

@@ -6,8 +6,8 @@
 
 # Want to help us make this template better? Share your feedback here: https://forms.gle/ybq9Krt8jtBL3iCk7
 
-ARG PYTHON_VERSION=3.13.5
-FROM python:${PYTHON_VERSION}-slim as base
+ARG PYTHON_VERSION=3.14.3
+FROM python:${PYTHON_VERSION}-slim-trixie as base
 
 # Prevents Python from writing pyc files.
 ENV PYTHONDONTWRITEBYTECODE=1
@@ -21,13 +21,17 @@ WORKDIR /app
 # Create a non-privileged user that the app will run under.
 # See https://docs.docker.com/go/dockerfile-user-best-practices/
 ARG UID=10001
-RUN adduser \
-    --disabled-password \
-    --gecos "" \
-    --home "/nonexistent" \
-    --shell "/sbin/nologin" \
-    --no-create-home \
+RUN groupadd \
+    --gid "${UID}" \
+    --system \
+    appuser \ 
+    && useradd \
+    --home-dir "/nonexistent" \
+    --shell "/usr/sbin/nologin" \
     --uid "${UID}" \
+    --gid "${UID}" \
+    --no-log-init \
+    --system \
     appuser
 
 # Download dependencies as a separate step to take advantage of Docker's caching.

requirements.txt

@@ -4,15 +4,15 @@ aiohttp~=3.13.3
 aiosignal~=1.4.0
 annotated-doc~=0.0.4
 annotated-types~=0.7.0
-anyio~=4.11.0
-attrs~=25.4.0
+anyio~=4.13.0
+attrs~=26.1.0
 bcrypt~=5.0.0
 beautifulsoup4~=4.14.3
 click~=8.3.1
 dnspython~=2.8.0
-fastapi~=0.121.3
+fastapi~=0.135.2
 frozenlist~=1.8.0
-greenlet~=3.2.4
+greenlet~=3.3.2
 h11~=0.16.0
 html5lib~=1.1
 idna~=3.11
@@ -22,20 +22,20 @@ lxml~=6.0.2
 MarkupSafe~=3.0.3
 motor~=3.7.1
 multidict~=6.7.0
-playwright~=1.56.0
+playwright~=1.58.0
 propcache~=0.4.1
 pur~=7.3.3
 pydantic~=2.12.5
 pydantic_core~=2.41.5
 pyee~=13.0.0
-pymongo~=4.15.5
+pymongo~=4.16.0
 python-multipart~=0.0.21
 six~=1.17.0
 sniffio~=1.3.1
 soupsieve~=2.8.1
-starlette~=0.49.3
+starlette~=1.0.0
 typing-inspection~=0.4.2
 typing_extensions~=4.15.0
-uvicorn~=0.38.0
+uvicorn~=0.42.0
 webencodings~=0.5.1
-yarl~=1.22.0
+yarl~=1.23.0