[Snyk] Security upgrade requests from 2.31.0 to 2.33.0#629
[Snyk] Security upgrade requests from 2.31.0 to 2.33.0#629revan-zhang wants to merge 1 commit intotouchfrom
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-REQUESTS-15763443
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| Pillow | ||
| stellar-sdk>=4.0.0,<6.0.0 | ||
| rlp>=1.1.0 ; python_version<'3.7' | ||
| requests>=2.33.0 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
🔴 Security version pin placed in optional requirements instead of main requirements where requests is a direct dependency
The Snyk security pin requests>=2.33.0 is added to requirements-optional.txt with the comment "not directly required", but requests is a direct dependency declared in python/requirements.txt:3 as requests>=2.4.0. Users who install only the base requirements (the standard case) will still resolve requests to any version >=2.4.0, potentially pulling in the vulnerable version that this pin was supposed to prevent. The fix should update the minimum version in python/requirements.txt from >=2.4.0 to >=2.33.0 instead.
Prompt for agents
The security pin for requests should be applied in python/requirements.txt (line 3), not in python/requirements-optional.txt. In python/requirements.txt, change line 3 from `requests>=2.4.0` to `requests>=2.33.0`. Then remove line 6 (`requests>=2.33.0 # not directly required, pinned by Snyk to avoid a vulnerability`) from python/requirements-optional.txt, since `requests` is a direct (not optional) dependency.
Was this helpful? React with 👍 or 👎 to provide feedback.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| Pillow | ||
| stellar-sdk>=4.0.0,<6.0.0 | ||
| rlp>=1.1.0 ; python_version<'3.7' | ||
| requests>=2.33.0 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
Security fix applied to wrong requirements file
Medium Severity
The requests version pin (>=2.33.0) is added to requirements-optional.txt, but requests is already a direct core dependency in requirements.txt at >=2.4.0. The optional file is only consumed by the full tox test environment, so the vast majority of users installing via pip install (which uses setup.py reading requirements.txt) remain exposed to the vulnerable requests versions. The version bump belongs in requirements.txt where the direct requests>=2.4.0 dependency is declared.
| Pillow | ||
| stellar-sdk>=4.0.0,<6.0.0 | ||
| rlp>=1.1.0 ; python_version<'3.7' | ||
| requests>=2.33.0 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
Version pin breaks Python 3.9 and earlier compatibility
Medium Severity
requests>=2.33.0 requires Python 3.10+ (it dropped Python 3.9 support), but this project declares python_requires=">=3.6" and its tox.ini runs py{36,37,38,39,310}-full environments that install requirements-optional.txt. This pin will cause dependency resolution failures for all full test environments on Python 3.6 through 3.9. The line needs a Python version environment marker (e.g., ; python_version>='3.10') to avoid breaking older supported runtimes.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
python/requirements-optional.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Insecure Temporary File
Note
Low Risk
Low risk dependency change limited to optional Python installs/test envs; potential risk is minor compatibility issues if any code relies on older
requestsbehavior.Overview
Adds an explicit
requests>=2.33.0entry topython/requirements-optional.txt, pinning the optional dependency to a Snyk-recommended secure version (and ensuringrequestsis installed when optional deps are used, e.g.tox'sfullenv).Written by Cursor Bugbot for commit 2e27449. This will update automatically on new commits. Configure here.