Skip to content

[Snyk] Security upgrade requests from 2.31.0 to 2.33.0 #629

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
revan-zhang wants to merge 1 commit into
base: touch
Choose a base branch
from
+1 −0
Open

[Snyk] Security upgrade requests from 2.31.0 to 2.33.0 #629

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions python/requirements-optional.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@ web3 >= 4.8
Pillow
stellar-sdk>=4.0.0,<6.0.0
rlp>=1.1.0 ; python_version<'3.7'
requests>=2.33.0 # not directly required, pinned by Snyk to avoid a vulnerability
Copy link
Copy Markdown

@devin-ai-integration devin-ai-integration bot Mar 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Security version pin placed in optional requirements instead of main requirements where requests is a direct dependency

The Snyk security pin requests>=2.33.0 is added to requirements-optional.txt with the comment "not directly required", but requests is a direct dependency declared in python/requirements.txt:3 as requests>=2.4.0. Users who install only the base requirements (the standard case) will still resolve requests to any version >=2.4.0, potentially pulling in the vulnerable version that this pin was supposed to prevent. The fix should update the minimum version in python/requirements.txt from >=2.4.0 to >=2.33.0 instead.

Prompt for agents 
The security pin for requests should be applied in python/requirements.txt (line 3), not in python/requirements-optional.txt. In python/requirements.txt, change line 3 from `requests>=2.4.0` to `requests>=2.33.0`. Then remove line 6 (`requests>=2.33.0 # not directly required, pinned by Snyk to avoid a vulnerability`) from python/requirements-optional.txt, since `requests` is a direct (not optional) dependency.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Copy link
Copy Markdown

@cursor cursor bot Mar 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security fix applied to wrong requirements file

Medium Severity

The requests version pin (>=2.33.0) is added to requirements-optional.txt, but requests is already a direct core dependency in requirements.txt at >=2.4.0. The optional file is only consumed by the full tox test environment, so the vast majority of users installing via pip install (which uses setup.py reading requirements.txt) remain exposed to the vulnerable requests versions. The version bump belongs in requirements.txt where the direct requests>=2.4.0 dependency is declared.

Fix in Cursor Fix in Web

Copy link
Copy Markdown

@cursor cursor bot Mar 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Version pin breaks Python 3.9 and earlier compatibility

Medium Severity

requests>=2.33.0 requires Python 3.10+ (it dropped Python 3.9 support), but this project declares python_requires=">=3.6" and its tox.ini runs py{36,37,38,39,310}-full environments that install requirements-optional.txt. This pin will cause dependency resolution failures for all full test environments on Python 3.6 through 3.9. The line needs a Python version environment marker (e.g., ; python_version>='3.10') to avoid breaking older supported runtimes.

Fix in Cursor Fix in Web

Loading