From 5feee53bdd2e35109754582da37450d17f91848f Mon Sep 17 00:00:00 2001
From: Marie PUPO JEAMMET <marie.pupojeammet@numerique.gouv.fr>
Date: Fri, 16 Jan 2026 10:32:53 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F(security)=20upgrade=20pyt?=
 =?UTF-8?q?hon=20version=20to=20fix=20vulnerability?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Vulnerability in jaraco.context caused security issue
in setuptools and python3. change python version to fix
see https://github.com/advisories/GHSA-58pv-8j8x-9vj2
---
 .github/workflows/crowdin_upload.yml | 2 +-
 .github/workflows/people.yml         | 4 ++--
 CHANGELOG.md                         | 1 +
 Dockerfile                           | 4 ++--
 src/backend/pyproject.toml           | 1 +
 5 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/crowdin_upload.yml b/.github/workflows/crowdin_upload.yml
index c07f90d..6c5863f 100644
--- a/.github/workflows/crowdin_upload.yml
+++ b/.github/workflows/crowdin_upload.yml
@@ -25,7 +25,7 @@ jobs:
       - name: Install Python
         uses: actions/setup-python@v3
         with:
-          python-version: "3.11"
+          python-version: '3.13'
       - name: Upgrade pip and setuptools
         run: pip install --upgrade pip setuptools
       - name: Install development dependencies
diff --git a/.github/workflows/people.yml b/.github/workflows/people.yml
index 627f0bd..4b49cb4 100644
--- a/.github/workflows/people.yml
+++ b/.github/workflows/people.yml
@@ -224,7 +224,7 @@ jobs:
       - name: Install Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.11'
+          python-version: '3.13'
       - name: Install development dependencies
         run: pip install --user .[dev]
       - name: Check code formatting with ruff
@@ -281,7 +281,7 @@ jobs:
       - name: Install Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.11'
+          python-version: '3.13'
       - name: Install development dependencies
         run: pip install --user .[dev]
       - name: Install gettext (required to compile messages)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8326942..58f072f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ and this project adheres to
 
 ## [Unreleased]
 
+- 🔒️(security) upgrade python version to fix vulnerability #1010
 - 🐛(dimail) allow mailboxes and aliases to have the same local part #986
 - 🐛(dimail) ignore oxadmin when importing mailboxes from dimail #986
 - ✨(aliases) delete all aliases in one call #1002
diff --git a/Dockerfile b/Dockerfile
index b70c994..5d812f1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,10 +1,10 @@
 # Django People
 
 # ---- base image to inherit from ----
-FROM python:3.12.6-alpine3.20 AS base
+FROM python:3.13.11-alpine AS base
 
 # Upgrade pip to its latest release to speed up dependencies installation
-RUN python -m pip install --upgrade pip setuptools
+RUN python -m pip install --upgrade pip
 
 # Upgrade system packages to install security updates
 RUN apk update && \
diff --git a/src/backend/pyproject.toml b/src/backend/pyproject.toml
index a8f6569..87ae466 100644
--- a/src/backend/pyproject.toml
+++ b/src/backend/pyproject.toml
@@ -52,6 +52,7 @@ dependencies = [
     "factory_boy==3.3.3",
     "flower==2.0.1",
     "gunicorn==23.0.0",
+    "jaraco.context>=6.1.0",
     "joserfc==1.3.0",
     "jsonschema==4.25.1",
     "mozilla-django-oidc==4.0.1",