Skip to content

[Snyk] Fix for 5 vulnerabilities #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Dustin4444 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Fix for 5 vulnerabilities #19

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ botocore>=1.35,<1.36
celery>=5.2.6
coverage>=4.5.4,<5.0 # Coverage 5.x moves from a json database to SQLite. Moving to 5.x will require substantial rewrites in ietf.utils.test_runner and ietf.release.views
defusedxml>=0.7.1 # for TastyPie when using xml; not a declared dependency
Django>4.2,<5
Django>4.2.27
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The new version constraint for Django is too open-ended. It's good practice to specify an upper bound to prevent automatically picking up future major versions (e.g., Django 5.0) which may include breaking changes. The original constraint was <5, and it's safer to retain a similar upper bound.

Django>=4.2.27,<5

Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Reinstate safe Django version bounds

The Django requirement changed from >4.2,<5 to Django>4.2.27, which both omits the >= on 4.2.27 (so the patched LTS release is not installable) and removes the <5 upper bound. With the current spec pip is free to resolve to Django 5.x when 4.2.28+ is unavailable, while other dependencies in this file (e.g. django-stubs pinned <5 and tastypie comment about syncing with Django) are still tied to the 4.2 series. That leads to resolver conflicts or runtime incompatibilities instead of the intended security update. Please bound the requirement to the patched 4.2 LTS range (e.g. >=4.2.27,<5).

Useful? React with 👍 / 👎.

django-admin-rangefilter>=0.13.2
django-analytical>=3.1.0
django-bootstrap5>=21.3
Expand Down Expand Up @@ -80,7 +80,8 @@ tblib>=1.7.0 # So that the django test runner provides tracebacks
tlds>=2022042700 # Used to teach bleach about which TLDs currently exist
tqdm>=4.64.0
Unidecode>=1.3.4
urllib3>=1.26,<2
urllib3>=2.6.0
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

This change upgrades urllib3 from version 1.x to 2.x, which is a major version bump and may introduce breaking changes. To prevent pulling in future major versions (e.g., 3.0) automatically, it's recommended to add an upper bound.

urllib3>=2.6.0,<3

weasyprint>=64.1
xml2rfc>=3.23.0
xym>=0.6,<1.0
sqlparse>=0.5.4 # not directly required, pinned by Snyk to avoid a vulnerability
Loading