SBOM
Software bill
of materials.
Attestix pins every runtime dependency with lower and upper bounds to prevent silent major-version drift. The tables below mirror pyproject.toml at the v0.3.0 release. Generated CycloneDX artefacts are available alongside published GitHub releases when attached; for the most current pinned set, read pyproject.toml on main.
Runtime dependencies
| Package | Version constraint | Purpose | Licence |
|---|---|---|---|
| mcp[cli] | >= 1.8.0, < 2.0.0 | Model Context Protocol runtime and CLI | MIT |
| cryptography | >= 46.0.7, < 47.0.0 | Ed25519, PBKDF2, SHA-256 (CVE-2026-34073, CVE-2026-39892 fixes) | Apache 2.0 / BSD |
| PyJWT[crypto] | >= 2.12.0, < 3.0.0 | UCAN JWT sign and verify (CVE-2026-32597 crit header fix) | MIT |
| base58 | >= 2.1.1, < 3.0.0 | Base58 encoding for DID key methods | MIT |
| httpx | >= 0.28.0, < 0.30.0 | did:web resolution, remote verify, agent discovery | BSD-3 |
| python-dotenv | >= 1.1.0, < 2.0.0 | Environment variable loading | BSD-3 |
| nest-asyncio | >= 1.6.0, < 2.0.0 | Nested event-loop support | BSD-2 |
| python-json-logger | >= 3.3.0, < 5.0.0 | Structured JSON logging | BSD-2 |
| filelock | >= 3.13.0, < 4.0.0 | File-based concurrency locking | Unlicense |
| click | >= 8.1.0, < 9.0.0 | CLI framework | BSD-3 |
| python-multipart | >= 0.0.26, < 0.1.0 | Multipart parser (pinned >= 0.0.26 for CVE-2026-40347 DoS fix) | Apache 2.0 |
Optional extras
| Package | Version constraint | Purpose | Licence |
|---|---|---|---|
| web3 | >= 7.0.0, < 8.0.0 | EAS anchoring to Base L2 testnet (blockchain extra) | MIT |
| weasyprint | >= 62.0 | PDF report generation (reports extra) | BSD-3 |
Development dependencies
| Package | Version constraint | Purpose | Licence |
|---|---|---|---|
| pytest | >= 8.0 | Test runner | MIT |
| pytest-asyncio | >= 0.24 | Async test support | Apache 2.0 |
| pytest-cov | >= 5.0 | Coverage plugin | MIT |
| respx | >= 0.22 | HTTP mocking for httpx | BSD-3 |
| ruff | >= 0.6.0 | Lint and format | MIT |
| mypy | >= 1.11 | Type checking | MIT |
| pip-audit | >= 2.7 | Dependency vulnerability audit | Apache 2.0 |
| bandit | >= 1.7 | SAST on Python source | Apache 2.0 |
| safety | >= 3.2 | CVE scan (advisory) | MIT |
| build | >= 1.2 | PEP 517 wheel builder | MIT |
Reproducibility
Every release goes through pip-audit and safety scans in CI before publish. See /security for the vulnerability disclosure log.