[Snyk] Fix for 2 vulnerabilities #31

gemini-code-assist · 2026-06-04T04:05:52Z

Pinning idna>=3.7 introduces a dependency conflict with requests 2.23.0 (used by Apache Airflow 1.10.15), which requires idna<3,>=2.5. This will prevent successful installation of the requirements.

cubic-dev-ai · 2026-06-04T04:11:52Z

P1: New dependency minimums conflict with the sample’s pinned constraints, which can break dependency resolution for Airflow 1 installs.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At composer/airflow_1_samples/requirements.txt, line 8: <comment>New dependency minimums conflict with the sample’s pinned constraints, which can break dependency resolution for Airflow 1 installs.</comment> <file context> @@ -5,3 +5,5 @@ apache-airflow-backport-providers-google==2021.3.3 apache-airflow-backport-providers-cncf-kubernetes==2021.3.3 kubernetes==11.0.0 scipy==1.4.1; python_version > '3.0' +idna>=3.7 # not directly required, pinned by Snyk to avoid a vulnerability +marshmallow>=3.26.2 # not directly required, pinned by Snyk to avoid a vulnerability </file context>

cubic-dev-ai · 2026-06-04T04:11:52Z

P1: Pinning idna>=3.7 creates an unresolvable dependency conflict. Apache Airflow 1.10.15 depends on requests in the range <2.24.0,>=2.20.0, and all versions of requests in that range (including 2.23.0) require idna<3,>=2.5. Since idna>=3.7 violates the <3 upper bound, pip install will fail with a dependency resolution error.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At composer/airflow_1_samples/requirements.txt, line 8: <comment>Pinning `idna>=3.7` creates an unresolvable dependency conflict. Apache Airflow 1.10.15 depends on `requests` in the range `<2.24.0,>=2.20.0`, and all versions of `requests` in that range (including 2.23.0) require `idna<3,>=2.5`. Since `idna>=3.7` violates the `<3` upper bound, `pip install` will fail with a dependency resolution error.</comment> <file context> @@ -5,3 +5,5 @@ apache-airflow-backport-providers-google==2021.3.3 apache-airflow-backport-providers-cncf-kubernetes==2021.3.3 kubernetes==11.0.0 scipy==1.4.1; python_version > '3.0' +idna>=3.7 # not directly required, pinned by Snyk to avoid a vulnerability +marshmallow>=3.26.2 # not directly required, pinned by Snyk to avoid a vulnerability </file context>

Suggested change

idna>=3.7 # not directly required, pinned by Snyk to avoid a vulnerability

idna>=2.5,<3 # not directly required, pinned by Snyk to avoid a vulnerability

gemini-code-assist · 2026-06-04T04:05:52Z

Pinning marshmallow>=3.26.2 introduces a dependency conflict with Flask-AppBuilder 2.3.4 (used by Apache Airflow 1.10.15), which requires marshmallow<3.0.0,>=2.18.0. This will cause installation failures.

cubic-dev-ai · 2026-06-04T04:11:52Z

P0: marshmallow>=3.26.2 conflicts with Flask-AppBuilder 2.3.4 (bundled with apache-airflow[gcp]==1.10.15), which requires marshmallow<3.0.0,>=2.18.0. This will cause pip dependency resolution to fail, and even if forced, Airflow 1.10.15's web UI (built on Flask-AppBuilder) will break due to marshmallow 3.x's breaking API changes (removed strict mode, changed load/dump return types, etc.). The Snyk-required marshmallow fix is incompatible with this Airflow version.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At composer/airflow_1_samples/requirements.txt, line 9: <comment>marshmallow>=3.26.2 conflicts with Flask-AppBuilder 2.3.4 (bundled with apache-airflow[gcp]==1.10.15), which requires marshmallow<3.0.0,>=2.18.0. This will cause pip dependency resolution to fail, and even if forced, Airflow 1.10.15's web UI (built on Flask-AppBuilder) will break due to marshmallow 3.x's breaking API changes (removed strict mode, changed load/dump return types, etc.). The Snyk-required marshmallow fix is incompatible with this Airflow version.</comment> <file context> @@ -5,3 +5,5 @@ apache-airflow-backport-providers-google==2021.3.3 kubernetes==11.0.0 scipy==1.4.1; python_version > '3.0' +idna>=3.7 # not directly required, pinned by Snyk to avoid a vulnerability +marshmallow>=3.26.2 # not directly required, pinned by Snyk to avoid a vulnerability </file context>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 2 vulnerabilities #31

Uh oh!

Diff view

Diff view

There are no files selected for viewing

gemini-code-assist Bot Jun 4, 2026

Uh oh!

cubic-dev-ai Bot Jun 4, 2026

Uh oh!

cubic-dev-ai Bot Jun 4, 2026

Uh oh!

gemini-code-assist Bot Jun 4, 2026

Uh oh!

cubic-dev-ai Bot Jun 4, 2026

Uh oh!

[Snyk] Fix for 2 vulnerabilities #31

Are you sure you want to change the base?

Uh oh!

[Snyk] Fix for 2 vulnerabilities #31

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

gemini-code-assist Bot Jun 4, 2026

Choose a reason for hiding this comment

Uh oh!

cubic-dev-ai Bot Jun 4, 2026

Choose a reason for hiding this comment

Uh oh!

cubic-dev-ai Bot Jun 4, 2026

Choose a reason for hiding this comment

Uh oh!

gemini-code-assist Bot Jun 4, 2026

Choose a reason for hiding this comment

Uh oh!

cubic-dev-ai Bot Jun 4, 2026

Choose a reason for hiding this comment

Uh oh!