[Snyk] Security upgrade zipp from 3.15.0 to 3.19.1#87
Conversation
…abilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-ZIPP-7430899
There was a problem hiding this comment.
Pull request overview
This Snyk-generated PR aims to remediate a reported vulnerability by adding an explicit zipp version requirement to the Streamlit app’s Python dependencies.
Changes:
- Adds
zipp>=3.19.1tosrc/stable-diffusion-streamlit/requirements.txtto address a Snyk vulnerability report. - Normalizes the
pandas==1.4.1line formatting in the diff (no functional change).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| torch==1.10.0 | ||
| pandas==1.4.1 No newline at end of file | ||
| pandas==1.4.1 | ||
| zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file |
There was a problem hiding this comment.
This requirements file otherwise pins all dependencies with ==, but zipp is specified as >=3.19.1. That breaks reproducibility and is inconsistent with the established pattern in this file. Consider pinning to an exact version (e.g., ==3.19.1) or introducing a separate constraints file if ranges are desired.
| torch==1.10.0 | ||
| pandas==1.4.1 No newline at end of file | ||
| pandas==1.4.1 | ||
| zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file |
There was a problem hiding this comment.
The inline comment says "pinned by Snyk", but zipp>=3.19.1 is not actually pinned. Also, note that the Docker build installs dependencies from docker/requirements.txt (see docker/dockerfile), so this change won’t affect the container environment; if the deployed artifact is the Docker image, the same zipp constraint likely needs to be applied there to fully remediate the vulnerability in production.
Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
src/stable-diffusion-streamlit/requirements.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.