Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion requirements/local.txt
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
-r base.txt

Werkzeug==2.2.3 # https://github.com/pallets/werkzeug
Werkzeug==3.1.4 # https://github.com/pallets/werkzeug
Copy link

Copilot AI Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Werkzeug is being upgraded from 2.2.3 to 3.1.4, which is a major version jump that likely includes breaking changes. According to Werkzeug's changelog, version 3.0 introduced several breaking changes including removal of deprecated APIs and changes to import paths. This upgrade should be thoroughly tested, particularly for any code that uses Werkzeug directly or indirectly through Flask or other frameworks.

Suggested change
Werkzeug==3.1.4 # https://github.com/pallets/werkzeug
Werkzeug==2.2.3 # https://github.com/pallets/werkzeug

Copilot uses AI. Check for mistakes.
ipdb==0.13.13 # https://github.com/gotcha/ipdb
psycopg2==2.9.3 # https://github.com/psycopg/psycopg2
watchgod==0.7 # https://github.com/samuelcolvin/watchgod
Expand Down Expand Up @@ -35,3 +35,5 @@ django-debug-toolbar # https://github.com/jazzband/django-debug-toolbar
django-extensions==3.2.1 # https://github.com/django-extensions/django-extensions
django-coverage-plugin==2.0.2 # https://github.com/nedbat/django_coverage_plugin
pytest-django==4.5.2 # https://github.com/pytest-dev/pytest-django
django>=4.2.27 # not directly required, pinned by Snyk to avoid a vulnerability
Copy link

Copilot AI Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Django version pin (>=4.2.27) in local.txt will conflict with the explicit django==4.1.6 pinned in base.txt (line 15). Since local.txt includes base.txt via -r base.txt, pip will encounter conflicting requirements. The Django security fix should be applied in base.txt instead, where the original Django version is specified. This will ensure the fix applies to both local and production environments.

Suggested change
django>=4.2.27 # not directly required, pinned by Snyk to avoid a vulnerability

Copilot uses AI. Check for mistakes.
sqlparse>=0.5.4 # not directly required, pinned by Snyk to avoid a vulnerability
Comment on lines +38 to +39
Copy link

Copilot AI Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security-critical dependency pins should be applied in base.txt rather than local.txt. Currently, these Snyk-recommended pins only affect the local development environment, leaving production environments (which use production.txt -> base.txt) vulnerable to the same security issues. Move these pins to base.txt where Django and its dependencies are originally specified.

Copilot uses AI. Check for mistakes.