Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-10074036 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-10302884 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-12485156 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-13836728 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-13837025 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-14157807 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-14157810 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7435780 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7436273 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7436514 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7436646 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7642790 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7642791 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7642813 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7642814 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7886958 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7886959 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-8456315 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-8456316 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-9296408 - https://snyk.io/vuln/SNYK-PYTHON-SQLPARSE-14157217 - https://snyk.io/vuln/SNYK-PYTHON-SQLPARSE-6615674 - https://snyk.io/vuln/SNYK-PYTHON-ZIPP-7430899
There was a problem hiding this comment.
Pull request overview
This PR, generated by Snyk, updates Python dependencies to remediate reported vulnerabilities by adding explicit minimum versions for transitive packages.
Changes:
- Normalizes the
pycountryentry formatting inrequirements/base.txt. - Adds explicit dependency floors for
sqlparseandzippto address vulnerability findings.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| sqlparse>=0.5.4 # not directly required, pinned by Snyk to avoid a vulnerability | ||
| zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file |
There was a problem hiding this comment.
requirements/base.txt pins nearly all dependencies with ==, but these new entries use >=. This makes installs non-reproducible and can cause unexpected upgrades. Consider pinning sqlparse and zipp to specific patched versions (or moving them into a dedicated constraints/overrides mechanism if that’s how this repo handles transitive security pins).
| sqlparse>=0.5.4 # not directly required, pinned by Snyk to avoid a vulnerability | |
| zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability | |
| sqlparse==0.5.4 # not directly required, pinned by Snyk to avoid a vulnerability | |
| zipp==3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability |
| # ------------------------------------------------------------------------------ | ||
| pycountry==24.6.1 # https://pypi.org/project/pycountry/ No newline at end of file | ||
| pycountry==24.6.1 # https://pypi.org/project/pycountry/ | ||
| sqlparse>=0.5.4 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
PR description/metadata says this fix upgrades django (3.2.25 → 4.2.27), but requirements/base.txt currently pins django==5.2.10 and this PR doesn’t change it. Please confirm the Snyk report/PR description matches the actual dependency state so reviewers can validate the intended remediation.
Snyk has created this PR to fix 23 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
requirements/base.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling
🦉 Improper Output Neutralization for Logs
🦉 SQL Injection
🦉 More lessons are available in Snyk Learn