[Snyk] Security upgrade zipp from 3.15.0 to 3.19.1#25
Conversation
…bilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-ZIPP-7430899
|
Important Review skippedIgnore keyword(s) in the title. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds the zipp dependency to requirements.txt to address a vulnerability. The reviewer recommends pinning zipp to an exact version (==3.19.1) rather than using >= to ensure build reproducibility and prevent unexpected breaking changes.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| requests==2.34.2; python_version >= '3.10' | ||
| markupsafe==2.0.1 | ||
| Werkzeug==3.1.8; python_version >= '3.9' | ||
| zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
For application deployments, it is highly recommended to pin all dependencies to exact versions to ensure build reproducibility and prevent unexpected updates from introducing breaking changes. Please pin zipp to ==3.19.1 instead of >=3.19.1.
zipp==3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="appengine/flexible/websockets/requirements.txt">
<violation number="1" location="appengine/flexible/websockets/requirements.txt:7">
P2: Using `>=` for `zipp` makes dependency resolution non-reproducible in a file that otherwise pins exact versions; future installs can pull different versions and cause unexpected behavior changes.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| requests==2.34.2; python_version >= '3.10' | ||
| markupsafe==2.0.1 | ||
| Werkzeug==3.1.8; python_version >= '3.9' | ||
| zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
P2: Using >= for zipp makes dependency resolution non-reproducible in a file that otherwise pins exact versions; future installs can pull different versions and cause unexpected behavior changes.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At appengine/flexible/websockets/requirements.txt, line 7:
<comment>Using `>=` for `zipp` makes dependency resolution non-reproducible in a file that otherwise pins exact versions; future installs can pull different versions and cause unexpected behavior changes.</comment>
<file context>
@@ -4,3 +4,4 @@ gunicorn==23.0.0
requests==2.34.2; python_version >= '3.10'
markupsafe==2.0.1
Werkzeug==3.1.8; python_version >= '3.9'
+zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability
</file context>
| zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability | |
| zipp==3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability |
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
appengine/flexible/websockets/requirements.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
Summary by cubic
Pins
zippto >=3.19.1 to fix a security vulnerability and reduce risk in the App Engine websockets sample. Onlyappengine/flexible/websockets/requirements.txtwas changed.Dependencies
zipp>=3.19.1to addressSNYK-PYTHON-ZIPP-7430899.Migration
MarkupSafe==2.0.1may conflict withWerkzeugrequirements. Consider upgrading toMarkupSafe>=2.1.1.Written for commit 535e54e. Summary will update on new commits.