Feature/cdapi 180

[nhsd-rebecca-flynn]

Description

Upgrades to requests and flask following dependabot alerts that didn't merge due to changes to the dependabot yaml at the time.

Bump psf/requests from v2.32.4 to v.2.33.1. This fixes a moderate vulnerability where a utility function used a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. This and previous releases were made by the same user: nateprewitt and look like a legitimate fix and was released on 2026-03-30.

Bump flask from 3.1.2 to 3.1.3. This fixes a low risk vulnerability, where the session is marked as accessed for operations that only access the keys but not the values, such as in and len. This and previous releases were made by githubactions and was released on 2026-02-19.

Context

Type of changes

• Refactoring (non-breaking change)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would change existing functionality)
• Bug fix (non-breaking change which fixes an issue)

Checklist

• I have followed the code style of the project
• I have added tests to cover my changes
• I have updated the documentation accordingly
• This PR is a result of pair or mob programming
• Exceptions/Exclusions to coding standards (e.g. #noqa or #NOSONAR) are included within this Pull Request.

---

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

• I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Deployment Complete

• Preview with mock:
  • URL: https://feature-cdapi-180.dev.endpoints.pathology-laboratory-reporting.national.nhs.uk — Status
    • Smoke test result: ✅ Passed (HTTP 200)
  • Proxy URL: https://internal-dev.api.service.nhs.uk/pathology-laboratory-reporting-pr-140
  • Lambda function: pr-feature-cdapi-180
• Mock endpoints:
  • URL: https://feature-cdapi-180.m.dev.endpoints.pathology-laboratory-reporting.national.nhs.uk
    • Smoke test result: ✅ Passed (HTTP 200)
  • Lambda function: mock-feature-cdapi-180
• Preview with integration:
  • URL: https://feature-cdapi-180.i.dev.endpoints.pathology-laboratory-reporting.national.nhs.uk — Status
    • Smoke test result: ✅ Passed (HTTP 200)
  • Proxy URL: https://internal-dev.api.service.nhs.uk/pathology-laboratory-reporting-pri-140
  • Lambda function: int-feature-cdapi-180