Skip to content

[Snyk] Fix for 6 vulnerabilities #36

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ashmuck wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Fix for 6 vulnerabilities #36

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ nbclient==0.7.2
nbconvert==7.2.9
nbformat==5.7.3
nest-asyncio==1.5.6
nltk==3.8.1
nltk==3.9.4
notebook==6.5.2
notebook_shim==0.2.2
numpy==1.24.2
Expand Down Expand Up @@ -87,7 +87,7 @@ PyYAML==6.0
pyzmq==25.0.0
rapidfuzz==2.13.7
regex==2022.10.31
requests==2.22.0
requests==2.33.0
Copy link
Copy Markdown

@cursor cursor bot Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pinned urllib3 version incompatible with upgraded requests

High Severity

Upgrading requests to 2.33.0 without updating urllib3 breaks dependency resolution. requests==2.33.0 requires urllib3>=1.26,<3, but urllib3==1.25.11 is still pinned in the file. This will cause pip installation to fail or produce an inconsistent environment.

Additional Locations (1)
Fix in Cursor Fix in Web

Copy link
Copy Markdown

@cursor cursor bot Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pinned certifi version incompatible with upgraded requests

High Severity

requests==2.33.0 requires certifi>=2023.5.7, but certifi==2022.12.7 is pinned in the file. This dependency conflict will prevent successful installation or create an environment that violates requests' stated requirements.

Additional Locations (1)
Fix in Cursor Fix in Web

Copy link
Copy Markdown

@cursor cursor bot Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indico-client exact pin on requests==2.22.0 now broken

High Severity

indico-client==5.1.4 has an exact pin requiring requests==2.22.0. The previous requirements.txt satisfied this by pinning requests==2.22.0, but this change upgrades it to 2.33.0, breaking compatibility with indico-client — a package actively used in the project (e.g., apply_labels.py). This will cause installation failures or runtime issues.

Additional Locations (1)
Fix in Cursor Fix in Web

rfc3339-validator==0.1.4
rfc3986-validator==0.1.1
scikit-learn==1.2.1
Expand Down
Loading