[Snyk] Security upgrade idna from 2.10 to 3.7#9
Conversation
…rabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-IDNA-6597975
|
Important Review skippedIgnore keyword(s) in the title. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the test requirements by pinning idna to version 3.7 or higher to address a security vulnerability. However, feedback indicates that this change introduces a dependency conflict with apache-airflow 1.10.15 and requests 2.23.0, which require idna to be less than version 3.
| @@ -1,2 +1,3 @@ | |||
| pytest==8.2.0 | |||
| cloud-composer-dag-test-utils==0.0.1 | |||
| idna>=3.7 # not directly required, pinned by Snyk to avoid a vulnerability | |||
There was a problem hiding this comment.
This change introduces a dependency conflict. The project uses apache-airflow 1.10.15, which depends on requests 2.23.0. As highlighted in the PR description, requests 2.23.0 requires idna<3,>=2.5. Pinning idna>=3.7 will cause installation failures during dependency resolution because the constraints are mutually exclusive.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="composer/airflow_1_samples/requirements-test.txt">
<violation number="1" location="composer/airflow_1_samples/requirements-test.txt:3">
P1: The `idna>=3.7` pin conflicts with the existing `idna==2.8` constraint (from `constraints.txt`) required by `requests==2.23.0` used by `apache-airflow==1.10.15`. Installing these test requirements together with the Airflow 1.10.x dependencies will either fail pip resolution or break the `requests` dependency chain, causing import errors at test time.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| @@ -1,2 +1,3 @@ | |||
| pytest==8.2.0 | |||
| cloud-composer-dag-test-utils==0.0.1 | |||
| idna>=3.7 # not directly required, pinned by Snyk to avoid a vulnerability | |||
There was a problem hiding this comment.
P1: The idna>=3.7 pin conflicts with the existing idna==2.8 constraint (from constraints.txt) required by requests==2.23.0 used by apache-airflow==1.10.15. Installing these test requirements together with the Airflow 1.10.x dependencies will either fail pip resolution or break the requests dependency chain, causing import errors at test time.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At composer/airflow_1_samples/requirements-test.txt, line 3:
<comment>The `idna>=3.7` pin conflicts with the existing `idna==2.8` constraint (from `constraints.txt`) required by `requests==2.23.0` used by `apache-airflow==1.10.15`. Installing these test requirements together with the Airflow 1.10.x dependencies will either fail pip resolution or break the `requests` dependency chain, causing import errors at test time.</comment>
<file context>
@@ -1,2 +1,3 @@
pytest==8.2.0
cloud-composer-dag-test-utils==0.0.1
+idna>=3.7 # not directly required, pinned by Snyk to avoid a vulnerability
</file context>
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
composer/airflow_1_samples/requirements-test.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Resource Exhaustion
Summary by cubic
Pin
idnato >=3.7 in test requirements to address a known vulnerability and harden the Composer sample tests.Dependencies
idna>=3.7tocomposer/airflow_1_samples/requirements-test.txt(fixes SNYK-PYTHON-IDNA-6597975).Migration
requests<3(e.g.,requests 2.23.0) requiresidna<3. If your test env includes it, upgraderequestsor adjust conflicting packages before merging.Written for commit 8a94472. Summary will update on new commits. Review in cubic