From a38af43d378c7b2c072c179ca56114f8316aabc3 Mon Sep 17 00:00:00 2001
From: "Ehsan.Asadi" <ehsan.asadi@zoodfood.com>
Date: Tue, 30 Dec 2025 15:52:09 +0330
Subject: [PATCH] fix: resolve all dependency conflicts for Reflex 0.8.24+
 (security)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Update alembic: 1.13.0 → 1.17.2 (required by Reflex >=1.15.2)
- Update redis: 5.0.1 → 7.1.0 (required by Reflex >=5.2.1)
- Update python-multipart: 0.0.6 → 0.0.21 (required by Reflex >=0.0.20)
- Update email-validator: 2.1.0 → 2.3.0 (2.1.0 was yanked)
- Adjust pydantic: 2.5.2 → 2.5.0 (compatibility)
- Remove zarinpal & idpay due to typing-extensions conflicts

Payment gateways (zarinpal, idpay) temporarily removed due to
dependency conflicts. Use direct API integration instead.

Refs: CVE-2025-55182
ApprovalToken: ۲
---
 requirements.txt | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index 43e518f..e28c875 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -10,19 +10,19 @@ reflex==0.8.24.post1  # Updated for security (CVE-2025-55182)
 # ============================================
 sqlalchemy==2.0.23
 psycopg2-binary==2.9.9
-alembic==1.13.0
+alembic==1.17.2  # Required by Reflex 0.8.24+ (>=1.15.2)
 
 # ============================================
 # Data Validation
 # ============================================
-pydantic==2.5.2
+pydantic==2.5.0  # Compatible with Reflex 0.8.24+
 pydantic-settings==2.1.0
-email-validator==2.1.0
+email-validator==2.3.0  # Latest stable (2.1.0 was yanked)
 
 # ============================================
 # Caching
 # ============================================
-redis==5.0.1
+redis==7.1.0  # Required by Reflex 0.8.24+ (>=5.2.1)
 
 # ============================================
 # Task Queue
@@ -47,9 +47,11 @@ ovh==1.2.0  # Correct package name (not python-ovh)
 
 # ============================================
 # Payment Gateways
+# NOTE: zarinpal & idpay removed due to dependency conflicts with Reflex 0.8.24+
+# Use direct API integration instead: https://docs.zarinpal.com/paymentGateway/
 # ============================================
-zarinpal==1.0.0
-idpay==1.0.0
+# zarinpal==1.0.0  # Conflicts with typing-extensions (requires ==4.8.0 vs >=4.13.0)
+# idpay==0.0.1  # Outdated, use direct API
 
 # ============================================
 # HTTP Client
@@ -75,7 +77,7 @@ prometheus-client==0.19.0
 python-decouple==3.8
 python-dotenv==1.0.0
 tenacity==8.2.3
-python-multipart==0.0.6
+python-multipart==0.0.21  # Required by Reflex 0.8.24+ (>=0.0.20)
 psutil==5.9.6
 
 # ============================================