Conversation
…abilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-TORNADO-14400977 - https://snyk.io/vuln/SNYK-PYTHON-TORNADO-14400978 - https://snyk.io/vuln/SNYK-PYTHON-TORNADO-14400979 - https://snyk.io/vuln/SNYK-PYTHON-URLLIB3-14192442 - https://snyk.io/vuln/SNYK-PYTHON-URLLIB3-14192443
There was a problem hiding this comment.
Pull request overview
This PR addresses security vulnerabilities by adding pinned versions of tornado and urllib3 as transitive dependencies. Snyk identified 5 vulnerabilities across these packages and is upgrading tornado from 6.2 to >=6.5.3 and urllib3 from 2.0.7 to >=2.6.0.
- Adds tornado>=6.5.3 to fix 3 security vulnerabilities
- Adds urllib3>=2.6.0 to fix 2 security vulnerabilities
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| torch==1.10.0 | ||
| pandas==1.4.1 No newline at end of file | ||
| pandas==1.4.1 | ||
| tornado>=6.5.3 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
The version constraint uses >= which allows any future version including potentially incompatible major versions. For security fixes, it's better to use a more restrictive constraint like >=6.5.3,<7.0.0 to avoid unexpected breaking changes from future major version updates while still allowing security patches.
| tornado>=6.5.3 # not directly required, pinned by Snyk to avoid a vulnerability | |
| tornado>=6.5.3,<7.0.0 # not directly required, pinned by Snyk to avoid a vulnerability |
| pandas==1.4.1 No newline at end of file | ||
| pandas==1.4.1 | ||
| tornado>=6.5.3 # not directly required, pinned by Snyk to avoid a vulnerability | ||
| urllib3>=2.6.0 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file |
There was a problem hiding this comment.
The version constraint uses >= which allows any future version including potentially incompatible major versions. For security fixes, it's better to use a more restrictive constraint like >=2.6.0,<3.0.0 to avoid unexpected breaking changes from future major version updates while still allowing security patches.
| urllib3>=2.6.0 # not directly required, pinned by Snyk to avoid a vulnerability | |
| urllib3>=2.6.0,<3.0.0 # not directly required, pinned by Snyk to avoid a vulnerability |
Snyk has created this PR to fix 5 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
src/stable-diffusion-streamlit/requirements.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling