Skip to content

Update requirements.txt #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bandarisantosh wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update requirements.txt #32

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,5 @@ lxml==4.8.0
MarkupSafe==2.0.1
requests==2.27.1
urllib3==1.26.8
waitress==2.1.1
Copy link

@private-semgrep-app private-semgrep-app bot Jun 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability introduced by a package you're using:
Line 11 lists a dependency (waitress) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

Affected versions of waitress are vulnerable to Missing Release of Resource after Effective Lifetime. It is possible for a remote client to close the connection before waitress is done cleaning up said connection. If this happens, the main thread will continuously attempt to write to a socket that no longer exists, leading to a busy loop. An attacker could, with few resources, take up all available sockets from waitress this way.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 3.0.1 at requirements.txt.

You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Legal Risk

waitress 2.1.1 was released under the ZPL-2.1 license, a license that
is currently prohibited by your organization. Merging is blocked until this is resolved.

Recommendation

Reach out to your security team or Semgrep admin to address this issue. In special cases, exceptions may be made for dependencies with violating licenses, however, the general recommendation is to avoid using a dependency under such a license.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical severity vulnerability may affect your project—review required:
Line 11 lists a dependency (waitress) with a known Critical severity vulnerability.

ℹ️ Why this matters

Affected versions of waitress are vulnerable to Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') / Time-of-check Time-of-use (TOCTOU) Race Condition. When request lookahead is enabled, it is possible for an attacker to send a first request that errors out, as well as a second request that is serviced by the worker thread while the connection should be closed. This finding is specific to the command line tool waitress-serve.

References: GHSA, CVE

To resolve this comment:
Check if you have set --channel-request-lookahead to any value other than 0, e.g. waitress-serve --channel-request-lookahead=4.

  • If you're affected, upgrade this dependency to at least version 3.0.1 at requirements.txt.
  • If you're not affected, comment /fp we don't use this [condition]

You can view more details on this finding in the Semgrep AppSec Platform here.

Werkzeug==2.0.1