diff --git a/cmdb-api/Pipfile b/cmdb-api/Pipfile
index 776410e7..4ae82247 100644
--- a/cmdb-api/Pipfile
+++ b/cmdb-api/Pipfile
@@ -6,7 +6,7 @@ name = "pypi"
 [packages]
 # Flask
 Flask = "==2.3.2"
-Werkzeug = "==2.3.6"
+Werkzeug = ">=2.3.6"
 click = ">=5.0"
 # Api
 Flask-RESTful = "==0.3.10"
@@ -21,7 +21,7 @@ Flask-Migrate = "==2.5.2"
 gunicorn = "==21.0.1"
 supervisor = "==4.0.3"
 # Auth
-Flask-Login = "==0.6.2"
+Flask-Login = ">=0.6.2"
 Flask-Bcrypt = "==1.0.1"
 Flask-Cors = ">=3.0.8"
 ldap3 = "==2.9.1"
@@ -43,7 +43,7 @@ WTForms = "==3.0.0"
 email-validator = "==1.3.1"
 treelib = "==1.6.1"
 flasgger = "==0.9.5"
-Pillow = "==9.3.0"
+Pillow = ">=10.0.1"
 # other
 six = "==1.16.0"
 bs4 = ">=0.0.1"
diff --git a/cmdb-api/api/lib/cmdb/attribute.py b/cmdb-api/api/lib/cmdb/attribute.py
index 1380f144..20f40913 100644
--- a/cmdb-api/api/lib/cmdb/attribute.py
+++ b/cmdb-api/api/lib/cmdb/attribute.py
@@ -336,9 +336,6 @@ def _can_edit_attribute(attr):
     def update(self, _id, **kwargs):
         attr = Attribute.get_by_id(_id) or abort(404, ErrFormat.attribute_not_found.format("id={}".format(_id)))
 
-        if not self._can_edit_attribute(attr):
-            return abort(403, ErrFormat.cannot_edit_attribute)
-
         if kwargs.get("name"):
             other = Attribute.get_by(name=kwargs['name'], first=True, to_dict=False)
             if other and other.id != attr.id:
@@ -379,6 +376,14 @@ def update(self, _id, **kwargs):
 
         kwargs.get('is_computed') and self.can_create_computed_attribute()
 
+        is_changed = False
+        for k in kwargs:
+            if kwargs[k] != getattr(attr, k, None):
+                is_changed = True
+
+        if is_changed and not self._can_edit_attribute(attr):
+            return abort(403, ErrFormat.cannot_edit_attribute)
+
         attr.update(flush=True, filter_none=False, **kwargs)
 
         if is_choice and choice_value:
diff --git a/cmdb-api/api/lib/cmdb/ci.py b/cmdb-api/api/lib/cmdb/ci.py
index 99209309..4e8b9add 100644
--- a/cmdb-api/api/lib/cmdb/ci.py
+++ b/cmdb-api/api/lib/cmdb/ci.py
@@ -45,8 +45,8 @@
 from api.lib.perm.acl.acl import validate_permission
 from api.lib.secrets.inner import InnerCrypt
 from api.lib.secrets.vault import VaultClient
-from api.lib.utils import handle_arg_list
 from api.lib.utils import Lock
+from api.lib.utils import handle_arg_list
 from api.lib.webhook import webhook_request
 from api.models.cmdb import AttributeHistory
 from api.models.cmdb import AutoDiscoveryCI
@@ -639,6 +639,9 @@ def _get_cis_from_db(ci_ids, ret_key=RetKey.NAME, fields=None, value_tables=None
                     _fields.append(str(attr.id))
             filter_fields_sql = "WHERE A.attr_id in ({0})".format(",".join(_fields))
 
+        ci2pos = {int(_id): _pos for _pos, _id in enumerate(ci_ids)}
+        res = [None] * len(ci_ids)
+
         ci_ids = ",".join(map(str, ci_ids))
         if value_tables is None:
             value_tables = ValueTypeMap.table_name.values()
@@ -649,7 +652,6 @@ def _get_cis_from_db(ci_ids, ret_key=RetKey.NAME, fields=None, value_tables=None
         # current_app.logger.debug(query_sql)
         cis = db.session.execute(query_sql).fetchall()
         ci_set = set()
-        res = list()
         ci_dict = dict()
         unique_id2obj = dict()
         excludes = excludes and set(excludes)
@@ -669,7 +671,7 @@ def _get_cis_from_db(ci_ids, ret_key=RetKey.NAME, fields=None, value_tables=None
                 ci_dict["unique"] = unique_id2obj[ci_type.unique_id] and unique_id2obj[ci_type.unique_id].name
                 ci_dict["unique_alias"] = unique_id2obj[ci_type.unique_id] and unique_id2obj[ci_type.unique_id].alias
                 ci_set.add(ci_id)
-                res.append(ci_dict)
+                res[ci2pos[ci_id]] = ci_dict
 
             if ret_key == RetKey.NAME:
                 attr_key = attr_name
diff --git a/cmdb-api/requirements.txt b/cmdb-api/requirements.txt
index 187cc5fb..1776a059 100644
--- a/cmdb-api/requirements.txt
+++ b/cmdb-api/requirements.txt
@@ -12,7 +12,7 @@ Flask==2.3.2
 Flask-Bcrypt==1.0.1
 Flask-Caching==2.0.2
 Flask-Cors==4.0.0
-Flask-Login==0.6.2
+Flask-Login>=0.6.2
 Flask-Migrate==2.5.2
 Flask-RESTful==0.3.10
 Flask-SQLAlchemy==2.5.0
@@ -29,8 +29,8 @@ MarkupSafe==2.1.3
 marshmallow==2.20.2
 more-itertools==5.0.0
 msgpack-python==0.5.6
-Pillow==9.3.0
-cryptography==41.0.2
+Pillow>=10.0.1
+cryptography>=41.0.2
 PyJWT==2.4.0
 PyMySQL==1.1.0
 ldap3==2.9.1
@@ -45,7 +45,7 @@ supervisor==4.0.3
 timeout-decorator==0.5.0
 toposort==1.10
 treelib==1.6.1
-Werkzeug==2.3.6
+Werkzeug>=2.3.6
 WTForms==3.0.0
 shamir~=17.12.0
 hvac~=2.0.0