[Snyk] Security upgrade requests from 2.25.1 to 2.33.0#20
[Snyk] Security upgrade requests from 2.25.1 to 2.33.0#20revan-zhang wants to merge 1 commit intomasterfrom
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-REQUESTS-15763443
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| pytz==2021.1 | ||
| recommonmark==0.6.0 | ||
| requests==2.25.1 | ||
| requests==2.33.0 |
There was a problem hiding this comment.
Incompatible pinned certifi version breaks dependency resolution
High Severity
Upgrading requests to 2.33.0 introduces a dependency conflict. requests==2.33.0 requires certifi>=2023.5.7, but certifi==2020.12.5 is pinned on line 4 of this same file. This will cause pip dependency resolution to fail, breaking the docs build. The charset_normalizer package (required >=2,<4 by requests 2.33.0) is also missing entirely from the pinned dependencies.
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| pytz==2021.1 | ||
| recommonmark==0.6.0 | ||
| requests==2.25.1 | ||
| requests==2.33.0 |
There was a problem hiding this comment.
🔴 Dependency conflict: requests 2.33.0 requires certifi>=2023.5.7 but certifi is pinned to 2020.12.5
Upgrading requests from 2.25.1 to 2.33.0 without also upgrading certifi creates an unresolvable dependency conflict. requests==2.33.0 requires certifi>=2023.5.7, but docs/requirements.txt:4 pins certifi==2020.12.5. Running pip install -r docs/requirements.txt will fail with ResolutionImpossible, breaking the documentation build.
Prompt for agents
In docs/requirements.txt, the requests upgrade to 2.33.0 requires updating other pinned dependencies to be compatible:
1. At line 4, update certifi from 2020.12.5 to at least 2023.5.7 (e.g. certifi==2025.1.31 or another recent version). requests 2.33.0 requires certifi>=2023.5.7.
2. Consider adding charset_normalizer (e.g. charset_normalizer==3.4.0) since requests 2.33.0 depends on it (it replaced chardet as the default character detection library starting with requests 2.26.0).
3. The chardet==4.0.0 pin at line 5 is no longer a required dependency of requests (it is only used with the optional use-chardet-on-py3 extra). Consider removing it or keeping it if other packages need it.
Was this helpful? React with 👍 or 👎 to provide feedback.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
docs/requirements.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Insecure Temporary File
Note
Low Risk
Low risk dependency bump limited to the docs build requirements; potential impact is confined to documentation tooling compatibility.
Overview
Updates the documentation build dependency
requestsindocs/requirements.txtfrom2.25.1to2.33.0to address a reported vulnerability.Written by Cursor Bugbot for commit be5c6f9. This will update automatically on new commits. Configure here.