Skip to content

[Arvion] Security remediation: Update SQLAlchemy to 2.0.43 and fix breaking changes#2

Open
arvion-bot-dev-felipe2[bot] wants to merge 1 commit into
mainfrom
arvion-fix-zaj6ihpu4ja
Open

[Arvion] Security remediation: Update SQLAlchemy to 2.0.43 and fix breaking changes#2
arvion-bot-dev-felipe2[bot] wants to merge 1 commit into
mainfrom
arvion-fix-zaj6ihpu4ja

Conversation

@arvion-bot-dev-felipe2
Copy link
Copy Markdown

@arvion-bot-dev-felipe2 arvion-bot-dev-felipe2 Bot commented Sep 14, 2025

Arvion Logo
Automated Security Remediation

📂 Files Modified

  • setup.py

    • Updated versions of all dependencies in install_requires to the target versions. The python_requires was also changed from Python 2.7 to Python 3.8+ to match the requirements of the upgraded libraries.

  • app/database.py

    • The file was updated to be compatible with SQLAlchemy 2.0. This involved updating the import for declarative_base, adding the future=True parameter to create_engine, and specifying column names explicitly in Column definitions. Consequently, the raw SQL query in get_user was updated to use the text() construct, which is required in SQLAlchemy 2.0 mode. A local variable was renamed to avoid a conflict with the imported text symbol. Additionally, Python 2-specific syntax such as the __unicode__ method, unicode type, and u"" string literals were updated to be compatible with Python 3, which is required by the upgraded dependencies.

🔄 Migrations Performed

requests 2.5.3 → 2.32.5

🔒 Vulnerabilities Fixed:

  • Medium severity [CVE-2024-47081]: Requests vulnerable to .netrc credentials leak via malicious URLs
  • Medium severity [CVE-2024-35195]: Requests Session object does not verify requests after making first request with verify=False
  • Medium severity [CVE-2023-32681]: Unintended leak of Proxy-Authorization header in requests
  • Medium severity [CVE-2015-2296]: Python Requests Session Fixation
  • High severity [CVE-2018-18074]: Insufficiently Protected Credentials in Requests

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

pyyaml 3.12 → 6.0.2

🔒 Vulnerabilities Fixed:

  • Critical severity [CVE-2020-14343]: Improper Input Validation in PyYAML
  • Critical severity [CVE-2017-18342]: PyYAML insecurely deserializes YAML strings leading to arbitrary code execution

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

flask 0.12.2 → 3.1.2

🔒 Vulnerabilities Fixed:

  • High severity [CVE-2018-1000656]: Flask is vulnerable to Denial of Service via incorrect encoding of JSON data
  • High severity [CVE-2019-1010083]: Pallets Project Flask is vulnerable to Denial of Service via Unexpected memory usage
  • High severity [CVE-2023-30861]: Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

jinja2 2.8 → 3.1.6

🔒 Vulnerabilities Fixed:

  • High severity [CVE-2019-10906]: Jinja2 sandbox escape via string formatting
  • Medium severity [CVE-2025-27516]: Jinja2 vulnerable to sandbox breakout through attr filter selecting format method
  • Medium severity [CVE-2020-28493]: Regular Expression Denial of Service (ReDoS) in Jinja2
  • Medium severity [CVE-2024-22195]: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
  • Medium severity [CVE-2024-34064]: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
  • High severity [CVE-2016-10745]: Jinja2 sandbox escape vulnerability
  • Medium severity [CVE-2024-56326]: Jinja has a sandbox breakout through indirect reference to format method

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

sqlalchemy 1.0.0 → 2.0.43

🔒 Vulnerabilities Fixed:

  • Critical severity [CVE-2019-7548]: SQLAlchemy is vulnerable to SQL Injection via group_by parameter
  • Critical severity [CVE-2019-7164]: SQLAlchemy vulnerable to SQL Injection via order_by parameter

⚠️ Breaking Changes Applied:

Symbol: sqlalchemy.ext.declarative.declarative_base

  • The declarative_base function in sqlalchemy.ext.declarative has been updated. While the basic usage Base = declarative_base() remains syntactically similar, the internal implementation and accepted parameters have changed significantly. For SQLAlchemy 2.0 and later, it's advised to use sqlalchemy.orm.registry and generate_base() for a more modern and type-hint friendly declarative setup.

Symbol: sqlalchemy.Column

  • The constructor signature for sqlalchemy.Column has been changed to Column(name: str, type_: TypeEngine, *arg: MappedArg, **kw: MappedKwarg). Previously, the type was often the first argument, and the name could be positional or a keyword argument. Now, name and type_ are strictly the first two positional arguments.

Symbol: sqlalchemy.create_engine

  • The future parameter is now required for SQLAlchemy 2.0+.

urllib3 1.20 → 2.5.0

🔒 Vulnerabilities Fixed:

  • Medium severity [CVE-2024-37891]: urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects
  • Medium severity [CVE-2023-45803]: urllib3's request body not stripped after redirect from 303 status changes request method to GET
  • Medium severity [CVE-2018-25091]: Authorization Header forwarded on redirect
  • High severity [CVE-2019-11324]: Improper Certificate Validation in urllib3
  • Medium severity [CVE-2025-50181]: urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation
  • Medium severity [CVE-2019-11236]: Improper Neutralization of CRLF Sequences in urllib3 library for Python
  • High severity [CVE-2023-43804]: Cookie HTTP header isn't stripped on cross-origin redirects
  • Medium severity [CVE-2020-26137]: CRLF injection in urllib3
  • Critical severity [CVE-2018-20060]: Exposure of Sensitive Information to an Unauthorized Actor in urllib3
  • No severity [CVE-2021-33503]: An issue was discovered in urllib3 before 1.26.5. ...

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

werkzeug 0.11 → 3.1.3

🔒 Vulnerabilities Fixed:

  • High severity [CVE-2024-34069]: Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
  • Medium severity [CVE-2020-28724]: Open Redirect in werkzeug
  • Medium severity [CVE-2024-49766]: Werkzeug safe_join not safe on Windows
  • High severity [CVE-2019-14806]: Pallets Werkzeug Insufficient Entropy
  • Medium severity [CVE-2016-10516]: Pallets Werkzeug cross-site scripting vulnerability
  • Medium severity [CVE-2023-46136]: Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
  • High severity [CVE-2019-14322]: Pallets Werkzeug vulnerable to Path Traversal
  • Low severity [CVE-2023-23934]: Incorrect parsing of nameless cookies leads to __Host- cookies bypass
  • Medium severity [CVE-2024-49767]: Werkzeug possible resource exhaustion when parsing file data in forms
  • High severity [CVE-2023-25577]: High resource usage when parsing multipart form data with many fields
  • No severity [CVE-2022-29361]: ** DISPUTED ** Improper parsing of HTTP requests i...

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

🛠️ Additional Notes

  • Testing: Please ensure thorough testing after merging this PR to verify that all upgrades are compatible with your codebase.
  • Documentation: For detailed vulnerability reports and release notes, refer to the security advisories.
  • Support: For any questions or concerns, contact the Arvion Security Team at hello@arvion.ai.

📢 This PR was generated by Arvion's automated remediation system to enhance your repository's security while maintaining stability. 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants