-
Notifications
You must be signed in to change notification settings - Fork 7
[Snyk] Fix for 4 vulnerabilities #458
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||
|---|---|---|---|---|
| @@ -1,6 +1,6 @@ | ||||
| -r base.txt | ||||
|
|
||||
| Werkzeug==2.2.3 # https://github.com/pallets/werkzeug | ||||
| Werkzeug==3.1.4 # https://github.com/pallets/werkzeug | ||||
| ipdb==0.13.13 # https://github.com/gotcha/ipdb | ||||
| psycopg2==2.9.3 # https://github.com/psycopg/psycopg2 | ||||
| watchgod==0.7 # https://github.com/samuelcolvin/watchgod | ||||
|
|
@@ -35,3 +35,5 @@ django-debug-toolbar # https://github.com/jazzband/django-debug-toolbar | |||
| django-extensions==3.2.1 # https://github.com/django-extensions/django-extensions | ||||
| django-coverage-plugin==2.0.2 # https://github.com/nedbat/django_coverage_plugin | ||||
| pytest-django==4.5.2 # https://github.com/pytest-dev/pytest-django | ||||
| django>=4.2.27 # not directly required, pinned by Snyk to avoid a vulnerability | ||||
|
||||
| django>=4.2.27 # not directly required, pinned by Snyk to avoid a vulnerability |
Copilot
AI
Dec 6, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security-critical dependency pins should be applied in base.txt rather than local.txt. Currently, these Snyk-recommended pins only affect the local development environment, leaving production environments (which use production.txt -> base.txt) vulnerable to the same security issues. Move these pins to base.txt where Django and its dependencies are originally specified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Werkzeug is being upgraded from 2.2.3 to 3.1.4, which is a major version jump that likely includes breaking changes. According to Werkzeug's changelog, version 3.0 introduced several breaking changes including removal of deprecated APIs and changes to import paths. This upgrade should be thoroughly tested, particularly for any code that uses Werkzeug directly or indirectly through Flask or other frameworks.