[Snyk] Fix for 2 vulnerabilities#31
Conversation
…ities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-IDNA-6597975 - https://snyk.io/vuln/SNYK-PYTHON-MARSHMALLOW-14550833
|
Important Review skippedIgnore keyword(s) in the title. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds pinned versions for idna and marshmallow in composer/airflow_1_samples/requirements.txt to address vulnerabilities identified by Snyk. However, both additions introduce dependency conflicts with Apache Airflow 1.10.15's dependencies: idna>=3.7 conflicts with requests 2.23.0 (which requires idna<3,>=2.5), and marshmallow>=3.26.2 conflicts with Flask-AppBuilder 2.3.4 (which requires marshmallow<3.0.0,>=2.18.0). These conflicts will cause installation failures and need to be resolved.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| apache-airflow-backport-providers-cncf-kubernetes==2021.3.3 | ||
| kubernetes==11.0.0 | ||
| scipy==1.4.1; python_version > '3.0' | ||
| idna>=3.7 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
Pinning idna>=3.7 introduces a dependency conflict with requests 2.23.0 (used by Apache Airflow 1.10.15), which requires idna<3,>=2.5. This will prevent successful installation of the requirements.
| kubernetes==11.0.0 | ||
| scipy==1.4.1; python_version > '3.0' | ||
| idna>=3.7 # not directly required, pinned by Snyk to avoid a vulnerability | ||
| marshmallow>=3.26.2 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
Pinning marshmallow>=3.26.2 introduces a dependency conflict with Flask-AppBuilder 2.3.4 (used by Apache Airflow 1.10.15), which requires marshmallow<3.0.0,>=2.18.0. This will cause installation failures.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
3 issues found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="composer/airflow_1_samples/requirements.txt">
<violation number="1" location="composer/airflow_1_samples/requirements.txt:8">
P1: New dependency minimums conflict with the sample’s pinned constraints, which can break dependency resolution for Airflow 1 installs.</violation>
<violation number="2" location="composer/airflow_1_samples/requirements.txt:8">
P1: Pinning `idna>=3.7` creates an unresolvable dependency conflict. Apache Airflow 1.10.15 depends on `requests` in the range `<2.24.0,>=2.20.0`, and all versions of `requests` in that range (including 2.23.0) require `idna<3,>=2.5`. Since `idna>=3.7` violates the `<3` upper bound, `pip install` will fail with a dependency resolution error.</violation>
<violation number="3" location="composer/airflow_1_samples/requirements.txt:9">
P0: marshmallow>=3.26.2 conflicts with Flask-AppBuilder 2.3.4 (bundled with apache-airflow[gcp]==1.10.15), which requires marshmallow<3.0.0,>=2.18.0. This will cause pip dependency resolution to fail, and even if forced, Airflow 1.10.15's web UI (built on Flask-AppBuilder) will break due to marshmallow 3.x's breaking API changes (removed strict mode, changed load/dump return types, etc.). The Snyk-required marshmallow fix is incompatible with this Airflow version.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| kubernetes==11.0.0 | ||
| scipy==1.4.1; python_version > '3.0' | ||
| idna>=3.7 # not directly required, pinned by Snyk to avoid a vulnerability | ||
| marshmallow>=3.26.2 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
P0: marshmallow>=3.26.2 conflicts with Flask-AppBuilder 2.3.4 (bundled with apache-airflow[gcp]==1.10.15), which requires marshmallow<3.0.0,>=2.18.0. This will cause pip dependency resolution to fail, and even if forced, Airflow 1.10.15's web UI (built on Flask-AppBuilder) will break due to marshmallow 3.x's breaking API changes (removed strict mode, changed load/dump return types, etc.). The Snyk-required marshmallow fix is incompatible with this Airflow version.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At composer/airflow_1_samples/requirements.txt, line 9:
<comment>marshmallow>=3.26.2 conflicts with Flask-AppBuilder 2.3.4 (bundled with apache-airflow[gcp]==1.10.15), which requires marshmallow<3.0.0,>=2.18.0. This will cause pip dependency resolution to fail, and even if forced, Airflow 1.10.15's web UI (built on Flask-AppBuilder) will break due to marshmallow 3.x's breaking API changes (removed strict mode, changed load/dump return types, etc.). The Snyk-required marshmallow fix is incompatible with this Airflow version.</comment>
<file context>
@@ -5,3 +5,5 @@ apache-airflow-backport-providers-google==2021.3.3
kubernetes==11.0.0
scipy==1.4.1; python_version > '3.0'
+idna>=3.7 # not directly required, pinned by Snyk to avoid a vulnerability
+marshmallow>=3.26.2 # not directly required, pinned by Snyk to avoid a vulnerability
</file context>
| apache-airflow-backport-providers-cncf-kubernetes==2021.3.3 | ||
| kubernetes==11.0.0 | ||
| scipy==1.4.1; python_version > '3.0' | ||
| idna>=3.7 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
P1: New dependency minimums conflict with the sample’s pinned constraints, which can break dependency resolution for Airflow 1 installs.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At composer/airflow_1_samples/requirements.txt, line 8:
<comment>New dependency minimums conflict with the sample’s pinned constraints, which can break dependency resolution for Airflow 1 installs.</comment>
<file context>
@@ -5,3 +5,5 @@ apache-airflow-backport-providers-google==2021.3.3
apache-airflow-backport-providers-cncf-kubernetes==2021.3.3
kubernetes==11.0.0
scipy==1.4.1; python_version > '3.0'
+idna>=3.7 # not directly required, pinned by Snyk to avoid a vulnerability
+marshmallow>=3.26.2 # not directly required, pinned by Snyk to avoid a vulnerability
</file context>
| apache-airflow-backport-providers-cncf-kubernetes==2021.3.3 | ||
| kubernetes==11.0.0 | ||
| scipy==1.4.1; python_version > '3.0' | ||
| idna>=3.7 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
P1: Pinning idna>=3.7 creates an unresolvable dependency conflict. Apache Airflow 1.10.15 depends on requests in the range <2.24.0,>=2.20.0, and all versions of requests in that range (including 2.23.0) require idna<3,>=2.5. Since idna>=3.7 violates the <3 upper bound, pip install will fail with a dependency resolution error.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At composer/airflow_1_samples/requirements.txt, line 8:
<comment>Pinning `idna>=3.7` creates an unresolvable dependency conflict. Apache Airflow 1.10.15 depends on `requests` in the range `<2.24.0,>=2.20.0`, and all versions of `requests` in that range (including 2.23.0) require `idna<3,>=2.5`. Since `idna>=3.7` violates the `<3` upper bound, `pip install` will fail with a dependency resolution error.</comment>
<file context>
@@ -5,3 +5,5 @@ apache-airflow-backport-providers-google==2021.3.3
apache-airflow-backport-providers-cncf-kubernetes==2021.3.3
kubernetes==11.0.0
scipy==1.4.1; python_version > '3.0'
+idna>=3.7 # not directly required, pinned by Snyk to avoid a vulnerability
+marshmallow>=3.26.2 # not directly required, pinned by Snyk to avoid a vulnerability
</file context>
| idna>=3.7 # not directly required, pinned by Snyk to avoid a vulnerability | |
| idna>=2.5,<3 # not directly required, pinned by Snyk to avoid a vulnerability |
2 participants
Snyk has created this PR to fix 2 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
composer/airflow_1_samples/requirements.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Resource Exhaustion
Summary by cubic
Pins
idnaandmarshmallowincomposer/airflow_1_samples/requirements.txtto fix two Snyk-reported vulnerabilities in transitive dependencies. No application code changes.idna>=3.7to address SNYK-PYTHON-IDNA-6597975.marshmallow>=3.26.2to address SNYK-PYTHON-MARSHMALLOW-14550833.Written for commit 0cd4337. Summary will update on new commits.