Skip to content

fix: resolve vulnerabilities #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
PhBouzid wants to merge 20 commits into
base: main
Choose a base branch
from
Open

fix: resolve vulnerabilities #50

PhBouzid wants to merge 20 commits into from

Conversation

@PhBouzid
Copy link

@PhBouzid PhBouzid commented Jan 20, 2026

What type of PR is this? (check all applicable)

  • Refactor
  • Feature
  • Bug Fix
  • Optimization
  • Documentation Update

Description

TDB

Related Tickets & Documents

  • Related Issue #
  • Closes #

QA Instructions, Screenshots, Recordings

Please replace this line with instructions on how to test your changes, a note
on the devices and browsers this has been tested on, as well as any relevant
images for UI changes.

Breaking Change checklist

If your PR includes any deployment or processing changes, please utilize this checklist:

  • Does it change any deployment parameters, logic of their working or rename them?
  • Did update from previous version tested with the same set of deployment parameters?

Added/updated tests?

  • Yes
  • No, and this is why: please replace this line with details on why tests
    have not been included
  • I need help with writing tests

[optional] Are there any things to highlight or double check?

[optional] What gif best describes this PR or how it makes you feel?

Copilot AI review requested due to automatic review settings January 20, 2026 17:54
@github-actions
Copy link

github-actions bot commented Jan 20, 2026
edited
Loading


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

I have read the CLA Document and I hereby sign the CLA

1 out of 2 committers have signed the CLA.
✅ (PhBouzid)[https://github.com/PhBouzid]
❌ @fibu0125
fibu0125 seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

Copilot AI reviewed Jan 20, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request addresses security vulnerabilities by updating dependencies and improving thread safety in the database layer.

Changes:

  • Upgraded urllib3 (2.0.6 → 2.6.3) and Werkzeug (3.0.6 → 3.1.5) to address security vulnerabilities
  • Updated PIP (22.2.0 → 25.3.0) and SETUPTOOLS (70.0.0 → 80.9.0) in the Alpine Dockerfile
  • Refactored DB class to store connections instead of cursors, added threading locks, and implemented cursor context managers for better resource management

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 4 comments.

File Description
requirements.txt Updated urllib3 and Werkzeug to newer versions to resolve security vulnerabilities
alpine/Dockerfile Updated PIP and SETUPTOOLS versions to their latest releases
src/db.py Enhanced thread safety with locks, changed to connection-based architecture, and added cursor context managers

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/db.py


class DB:
_lock = threading.Lock()
Copy link

Copilot AI Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The _lock is a class-level attribute shared across all DB instances. This means all database operations across different database files will compete for the same lock, which could cause unnecessary serialization and performance degradation. Consider using an instance-level lock (self._lock = threading.Lock() in init) if each DB instance operates on a separate database file.

Copilot uses AI. Check for mistakes.
src/db.py
Comment on lines +82 to +84
with DB._lock:
log.debug("SQL command: " + sql.replace('?', '%s') % args)
cursor.execute(sql, args)
Copy link

Copilot AI Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The threading lock is being used only around the logging and execute operations in __log_and_execute, but this may not provide adequate thread safety. The lock should protect the entire database operation sequence, not just the execute call. Consider that cursor operations might need protection at a higher level, or use connection-level locks instead of a class-level lock since each DB instance has its own connection.

Copilot uses AI. Check for mistakes.
src/db.py
Comment on lines 82 to +93
if login:
cursor = DB.__create_connection(self.__dbfile).cursor()
else:
cursor = self.__cursor

DB.__log_and_execute(cursor, query, params)
cursor = self.__conn.cursor()
with cursor:
DB.__log_and_execute(cursor, query, params)
Copy link

Copilot AI Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When login=True, a new connection is created but never explicitly closed, which could lead to resource leaks. The cursor context manager only closes the cursor, not the underlying connection. Consider storing the connection and ensuring it's properly closed, or restructure to reuse the existing connection.

Copilot uses AI. Check for mistakes.
src/db.py
Comment on lines 95 to +107
if login:
cursor = DB.__create_connection(self.__dbfile).cursor()
else:
cursor = self.__cursor

DB.__log_and_execute(cursor, query, params)
return cursor.fetchall()
cursor = self.__conn.cursor()
with cursor:
DB.__log_and_execute(cursor, query, params)
return cursor.fetchall()
Copy link

Copilot AI Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When login=True, a new connection is created but never explicitly closed, which could lead to resource leaks. The cursor context manager only closes the cursor, not the underlying connection. Consider storing the connection and ensuring it's properly closed, or restructure to reuse the existing connection.

Copilot uses AI. Check for mistakes.
@github-actions github-actions bot added the bug Something isn't working label Jan 20, 2026
@PhBouzid
Copy link
Author

PhBouzid commented Jan 20, 2026

@copilot open a new pull request to apply changes based on the comments in this thread

Copilot AI mentioned this pull request Jan 20, 2026
Draft
Copy link

Copilot AI commented Jan 20, 2026

@PhBouzid I've opened a new pull request, #51, to work on those changes. Once the pull request is ready, I'll request review from you.

@PhBouzid
Copy link
Author

PhBouzid commented Jan 20, 2026

I have read the CLA Document and I hereby sign the CLA

@github-actions github-actions bot added the enhancement New feature or request label Jan 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

bug Something isn't working enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@PhBouzid @NetcrackerCLPLCI