Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-URLLIB3-14896210 - https://snyk.io/vuln/SNYK-PYTHON-WERKZEUG-14908843
There was a problem hiding this comment.
Pull request overview
This PR fixes 2 security vulnerabilities in Python dependencies identified by Snyk: urllib3 and Werkzeug. The changes upgrade Werkzeug from version 2.2.3 to 3.1.5 and add a new urllib3 dependency pinned to version 2.6.3 or higher.
Changes:
- Upgraded Werkzeug from 2.2.3 to 3.1.5 (major version bump)
- Added urllib3>=2.6.3 as a pinned transitive dependency to address security vulnerabilities
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| -r base.txt | ||
|
|
||
| Werkzeug==2.2.3 # https://github.com/pallets/werkzeug | ||
| Werkzeug==3.1.5 # https://github.com/pallets/werkzeug |
There was a problem hiding this comment.
Upgrading Werkzeug from 2.2.3 to 3.1.5 is a major version upgrade that may contain breaking changes. Werkzeug 3.0 introduced several breaking changes including removal of deprecated APIs and changes to request/response handling. While no direct usage of Werkzeug was found in the codebase, this is a transitive dependency likely used by Flask or other web frameworks. Ensure that all frameworks and libraries depending on Werkzeug are compatible with version 3.x, and verify that tests pass before merging.
| Werkzeug==3.1.5 # https://github.com/pallets/werkzeug | |
| Werkzeug==2.2.3 # https://github.com/pallets/werkzeug |
| django-extensions==3.2.1 # https://github.com/django-extensions/django-extensions | ||
| django-coverage-plugin==2.0.2 # https://github.com/nedbat/django_coverage_plugin | ||
| pytest-django==4.5.2 # https://github.com/pytest-dev/pytest-django | ||
| urllib3>=2.6.3 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
The urllib3 security fix is only applied to local.txt (development environment) but not to production.txt. If urllib3 is a transitive dependency used in production, the production environment may remain vulnerable. Consider adding the same urllib3 pinning to requirements/production.txt to ensure the security fix is applied across all environments.
| django-extensions==3.2.1 # https://github.com/django-extensions/django-extensions | ||
| django-coverage-plugin==2.0.2 # https://github.com/nedbat/django_coverage_plugin | ||
| pytest-django==4.5.2 # https://github.com/pytest-dev/pytest-django | ||
| urllib3>=2.6.3 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
The version specification for urllib3 uses ">=" while all other dependencies in this file use "==". This is inconsistent with the project's dependency pinning pattern. Consider using "urllib3==2.6.3" instead to ensure reproducible builds and prevent unexpected behavior from future patch releases.
| urllib3>=2.6.3 # not directly required, pinned by Snyk to avoid a vulnerability | |
| urllib3==2.6.3 # not directly required, pinned by Snyk to avoid a vulnerability |
Snyk has created this PR to fix 2 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
requirements/local.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.