[Snyk] Security upgrade requests from 2.31.0 to 2.33.0#420
[Snyk] Security upgrade requests from 2.31.0 to 2.33.0#420revan-zhang wants to merge 1 commit intomainfrom
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-REQUESTS-15763443
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| web3 >= 4.8 | ||
| Pillow | ||
| stellar-sdk>=4.0.0,<6.0.0 | ||
| requests>=2.33.0 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
Security fix placed in wrong requirements file
Medium Severity
The requests package is a direct dependency declared in python/requirements.txt (with >=2.4.0) and used as install_requires in setup.py. Pinning requests>=2.33.0 in requirements-optional.txt — which is only consumed by the full tox environment — leaves the actual install path unprotected. Standard installations via pip install or setup.py will still resolve requests>=2.4.0, meaning the vulnerability (SNYK-PYTHON-REQUESTS-15763443) remains exploitable for most users. The comment "not directly required" is also incorrect.
| web3 >= 4.8 | ||
| Pillow | ||
| stellar-sdk>=4.0.0,<6.0.0 | ||
| requests>=2.33.0 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
Requests 2.33.0 breaks supported Python versions
Medium Severity
requests 2.33.0 dropped support for Python 3.9 and requires Python 3.10+. This project declares python_requires=">=3.6" in setup.py and tests py{36,37,38,39,310} variants in tox. When the full tox environment installs requirements-optional.txt, pip will fail to resolve dependencies on Python 3.6–3.9 because no requests version satisfies both >=2.33.0 and Python <3.10.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
python/requirements-optional.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Insecure Temporary File
Note
Low Risk
Low risk dependency-only change: adds a minimum
requestsversion in an optional requirements file to address a known vulnerability, with minimal chance of breaking runtime behavior.Overview
Updates
python/requirements-optional.txtto explicitly addrequests>=2.33.0, pinning it as an optional dependency to satisfy security scanning and avoid a reportedrequestsvulnerability (even though it’s not directly required by this file).Written by Cursor Bugbot for commit 9ad8d46. This will update automatically on new commits. Configure here.