[Snyk] Security upgrade urllib3 from 2.0.7 to 2.2.2#26
Conversation
…reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-URLLIB3-7267250
|
Important Review skippedIgnore keyword(s) in the title. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds urllib3>=2.2.2 to the requirements file to address a security vulnerability. The reviewer recommends pinning urllib3 to an exact version (==2.2.2) instead of using >= to ensure reproducible builds and maintain consistency with the other pinned dependencies in the file.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| requests-futures==1.0.2 | ||
| requests-toolbelt==1.0.0 | ||
| Werkzeug==3.1.8; python_version >= '3.9' | ||
| urllib3>=2.2.2 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
For application deployments, it is best practice to pin dependencies to exact versions to ensure reproducible and deterministic builds. Since all other dependencies in this file are pinned using ==, urllib3 should also be pinned to an exact version rather than using >=.
urllib3==2.2.2 # not directly required, pinned by Snyk to avoid a vulnerability
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
2 issues found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="appengine/standard/migration/urlfetch/async/requirements.txt">
<violation number="1" location="appengine/standard/migration/urlfetch/async/requirements.txt:6">
P2: Use `==` instead of `>=` for version pinning to match the convention of all other dependencies in this file and ensure reproducible builds.</violation>
<violation number="2" location="appengine/standard/migration/urlfetch/async/requirements.txt:6">
P2: `urllib3>=2.2.2` is added without a Python version marker, but urllib3 2.2.2 requires Python >=3.8; this can break installs for the Python 3.7 runtime documented for this sample.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| requests-futures==1.0.2 | ||
| requests-toolbelt==1.0.0 | ||
| Werkzeug==3.1.8; python_version >= '3.9' | ||
| urllib3>=2.2.2 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
P2: Use == instead of >= for version pinning to match the convention of all other dependencies in this file and ensure reproducible builds.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At appengine/standard/migration/urlfetch/async/requirements.txt, line 6:
<comment>Use `==` instead of `>=` for version pinning to match the convention of all other dependencies in this file and ensure reproducible builds.</comment>
<file context>
@@ -3,3 +3,4 @@ requests==2.34.2; python_version >= '3.10'
requests-futures==1.0.2
requests-toolbelt==1.0.0
Werkzeug==3.1.8; python_version >= '3.9'
+urllib3>=2.2.2 # not directly required, pinned by Snyk to avoid a vulnerability
</file context>
| urllib3>=2.2.2 # not directly required, pinned by Snyk to avoid a vulnerability | |
| urllib3==2.2.2 # not directly required, pinned by Snyk to avoid a vulnerability |
| requests-futures==1.0.2 | ||
| requests-toolbelt==1.0.0 | ||
| Werkzeug==3.1.8; python_version >= '3.9' | ||
| urllib3>=2.2.2 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
P2: urllib3>=2.2.2 is added without a Python version marker, but urllib3 2.2.2 requires Python >=3.8; this can break installs for the Python 3.7 runtime documented for this sample.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At appengine/standard/migration/urlfetch/async/requirements.txt, line 6:
<comment>`urllib3>=2.2.2` is added without a Python version marker, but urllib3 2.2.2 requires Python >=3.8; this can break installs for the Python 3.7 runtime documented for this sample.</comment>
<file context>
@@ -3,3 +3,4 @@ requests==2.34.2; python_version >= '3.10'
requests-futures==1.0.2
requests-toolbelt==1.0.0
Werkzeug==3.1.8; python_version >= '3.9'
+urllib3>=2.2.2 # not directly required, pinned by Snyk to avoid a vulnerability
</file context>
| urllib3>=2.2.2 # not directly required, pinned by Snyk to avoid a vulnerability | |
| urllib3>=2.2.2; python_version >= '3.8' # not directly required, pinned by Snyk to avoid a vulnerability |
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
appengine/standard/migration/urlfetch/async/requirements.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
Summary by cubic
Pin
urllib3to >=2.2.2 to fix a known vulnerability (SNYK-PYTHON-URLLIB3-7267250) and prevent pulling a vulnerable version viarequests. Change is limited toappengine/standard/migration/urlfetch/async/requirements.txt; no runtime behavior changes.Written for commit 60315a6. Summary will update on new commits.