[Snyk] Security upgrade idna from 3.10 to 3.15#38
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-IDNA-16769942
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates requirements.txt to pin idna and urllib3 to specific versions to address vulnerabilities. However, the specified versions do not exist on the public PyPI registry, which will cause installation failures; the reviewer suggested using the correct stable versions instead.
| urllib3>=2.6.3 # not directly required, pinned by Snyk to avoid a vulnerability | ||
| idna>=3.15 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file |
There was a problem hiding this comment.
The versions specified for idna (3.15) and urllib3 (2.6.3) do not appear to exist on the public PyPI registry. The latest stable versions are 3.10 and 2.2.2 respectively. Specifying non-existent versions will cause pip install to fail, which is likely the cause of the warnings mentioned in the pull request description regarding these packages not being installed.
I have suggested the correct stable versions and included a trailing newline for the file.
urllib3>=2.2.2 # not directly required, pinned by Snyk to avoid a vulnerability
idna>=3.10 # not directly required, pinned by Snyk to avoid a vulnerability
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
requirements.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)