Release/2.14.6

[mehmet-yoti]

Release 2.14.6 — What's New

New Features

SDK-2758 — Share Code Resources & Tasks (#462)

Adds support for parsing and retrieving share code resources and verify share code tasks from IDV session responses.

• New ShareCodeResourceResponse class exposing source, media, profile and task data
• New ShareCodeMediaResponse and VerifyShareCodeTaskResponse classes
• ResourceContainer.share_codes property for list access
• VERIFY_SHARE_CODE_TASK constant added to constants.py

---

SDK-2781 — capture_type on Static Liveness Resources (#460)

StaticLivenessResourceResponse now exposes a capture_type property (e.g. "PHOTOGRAPH"). Defaults to None when the field is absent.

---

SDK-2792 — extraction_image_ids on IDV Page Responses (#461, #452)

PageResponse now exposes an extraction_image_ids property — the list of media IDs used for automated extraction. Defaults to an empty list when the field is absent or null.

---

SDK-2743 — process on Breakdown Response (#453)

BreakdownResponse now exposes a process property indicating the breakdown process type (AUTOMATED / EXPERT_REVIEW). Defaults to None when absent.

---

SDK-2473 — brand_id in Session Config (#458)

SdkConfigBuilder.with_brand_id(brand_id) allows a brand identifier to be set on the IDV session config for iframe theming. The field is omitted from the JSON payload when not set.

---

SDK-2614 — Suppressed Screens (IDV Shortened Flow) (#459)

SdkConfigBuilder.with_suppressed_screens([...]) / with_suppressed_screen(...) allow specific screens to be omitted from the IDV journey. Seven new constants added: ID_DOCUMENT_EDUCATION, ID_DOCUMENT_REQUIREMENTS, SUPPLEMENTARY_DOCUMENT_EDUCATION, ZOOM_LIVENESS_EDUCATION, STATIC_LIVENESS_EDUCATION, FACE_CAPTURE_EDUCATION, FLOW_COMPLETION.

---

Security & Dependency Upgrades

SDK-2803 — CVE Remediation (#463)

Core SDK (install_requires)

Package	Before	After	Reason
cryptography	>=42.0.0	>=44.0.1	CVE-2024-12797
protobuf	>=4.21.12	>=4.25.8,<6	CVE-2025-4565, CVE-2026-0994
requests	>=2.31.0	>=2.32.4	CVE-2024-47081
urllib3	>=2.2.1	>=2.6.3	Decompression / redirect CVEs
pyopenssl	>=24.0.0	>=26.0.0	High severity CVEs

All 10 *_pb2.py files regenerated using the _builder API required by protobuf 4.x/5.x runtimes.

Example apps

App	Key changes
Django	4.0.1 → 4.2 LTS (critical SQLi CVEs closed)
Flask	1.x → 3.0.6 (CVE-2023-30861)
Werkzeug	1.x → 3.0.6 (request smuggling, debugger RCE, path traversal)
Jinja2	→ 3.1.6 (5 CVEs)

---

QA Test Plan

Setup

Install the SDK from this release branch into the IDV example project:

pip install git+https://github.com/getyoti/yoti-python-sdk.git@release/2.14.6

---

SDK-2473 — brand_id in Session Config

When creating a session, call .with_brand_id("<your-brand-id>") on the SdkConfigBuilder:

sdk_config = SdkConfigBuilder().with_brand_id("<your-brand-id>").build()

Go through the IDV flow and on the iframe, you should see the branding associated with the given brand_id applied (colours, logo, etc.).

Create a second session without .with_brand_id(...). The default Yoti branding should appear and brand_id should be absent from the session creation request payload.

---

SDK-2614 — Suppressed Screens (IDV Shortened Flow)

When creating a session, call .with_suppressed_screen(...) on the SdkConfigBuilder for the screens you want to omit:

from yoti_python_sdk.doc_scan import constants

sdk_config = (SdkConfigBuilder()
              .with_suppressed_screen(constants.ID_DOCUMENT_EDUCATION)
              .with_suppressed_screen(constants.FLOW_COMPLETION)
              .build())

Go through the IDV flow — the education screen before document capture and the flow completion screen should not appear. The user should move directly to the next step after each suppressed screen would normally have been shown.

Create a second session without any suppressed screens and confirm all screens appear as normal.

---

SDK-2473 + SDK-2614 — Combined config

When creating a session, set both brand_id and suppressed_screens together:

sdk_config = (SdkConfigBuilder()
              .with_brand_id("<your-brand-id>")
              .with_suppressed_screen(constants.FLOW_COMPLETION)
              .build())

Go through the IDV flow — you should see the brand theming applied and the flow completion screen should not appear.

---

SDK-2758 — Share Code Resources & Tasks

Create a session that returns share code resources. After completing the flow and landing on the success page, inspect session_result.resources.share_codes. On the success page you should see:

• A list of share code entries, each with source, lookup_profile, returned_profile, and associated media fields populated where available
• Each share code entry's verify_share_code_tasks should list the corresponding tasks with their state (e.g. DONE) and any generated_media

For a session that produces no share codes, session_result.resources.share_codes should be an empty list.

---

SDK-2781 — capture_type on Static Liveness Resources

Create a session that includes a Static Liveness check. After completing the flow and landing on the success page, inspect session_result.resources.static_liveness_resources. On the success page you should see:

• Each static liveness resource has a capture_type field populated (e.g. "PHOTOGRAPH")
• For an incomplete or skipped static liveness step the field should be None

---

SDK-2792 — extraction_image_ids on IDV Page Responses

Create a session that includes an ID document upload with automated extraction. After completing the flow and landing on the success page, inspect the pages on each document via session_result.resources.id_documents. On the success page you should see:

• Each page that underwent automated extraction has extraction_image_ids populated with one or more UUID strings corresponding to the media used
• Pages without automated extraction should return an empty list for extraction_image_ids

---

SDK-2743 — process on Breakdown Response

Create a session that includes document authenticity or text data checks. After completing the flow and landing on the success page, inspect the breakdown items on each check via session_result.checks. On the success page you should see:

• Each breakdown item has a process field indicating how it was processed — "AUTOMATED" for machine-processed checks or "EXPERT_REVIEW" for manually reviewed ones
• Breakdown items that do not carry this field should show None

---

SDK-2803 — Dependency upgrade verification

Install the example app dependencies and start the app:

cd examples/doc_scan && pip install -r requirements.txt && python app.py

The app should start without errors. Run pip-audit against requirements.txt and confirm no High or Critical CVEs remain for the packages listed in the upgrade table above.

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud