chore(deps): bump dependencies to address security vulnerabilities #37552
Conversation
- urllib3: 2.6.0 → 2.6.3 (CVE-2026-21441 - decompression bomb bypass) - werkzeug: 3.1.3 → 3.1.5 (GHSA-87hc-h4r5-73f7, multipart fix) - brotli: 1.1.0 → 1.2.0 (decompression bomb fix) - filelock: add >= 3.20.3 (CVE-2025-68146 - TOCTOU symlink) - pyasn1: 0.6.1 → 0.6.2 (security fix)
Code Review Agent Run #4d6065Actionable Suggestions - 0Additional Suggestions - 1
Review Details
Bito Usage GuideCommands Type the following command in the pull request comment and save the comment.
Refer to the documentation for additional commands. Configuration This repository uses Documentation & Help AI Code Review powered by |
![codeant-ai-for-open-source[bot]](https://avatars.githubusercontent.com/u/151810221?s=60&v=4){kind=small}
requirements/base.in
Outdated
| # Security: CVE-2026-21441 - decompression bomb bypass on redirects | ||
| urllib3>=2.6.3,<3.0.0 | ||
| # Security: GHSA-87hc-h4r5-73f7, multipart boundary fix | ||
| werkzeug>=3.1.5 |
There was a problem hiding this comment.
Suggestion: Missing upper bound for werkzeug: allowing unconstrained major upgrades (e.g., 4.x) can introduce breaking API changes; pin a safe upper bound to prevent accidental incompatible upgrades. [possible bug]
Severity Level: Major ⚠️
- ❌ CI dependency installation may pick breaking werkzeug version.
- ⚠️ Unit tests may fail after unexpected Werkzeug upgrade.
- ⚠️ Runtime server startup could encounter API incompatibilities.| werkzeug>=3.1.5 | |
| werkzeug>=3.1.5,<4.0.0 |
Steps of Reproduction ✅
1. Open requirements file at `requirements/base.in` and inspect lines 21-22 (file content
shows `werkzeug>=3.1.5`) — see `requirements/base.in:21-22`.
2. Create a fresh environment and run dependency resolution/installation using this
requirements file (e.g., generate constraints or install from it): run `python -m venv
.venv && .venv/bin/pip install -r requirements/base.in` (dependency resolver will consider
`werkzeug>=3.1.5` without an upper bound).
3. If the resolver selects a future major release (e.g., werkzeug 4.x), install completes
with that major version present in the environment.
4. Run the project's test suite or start the application (typical next steps after
install). If code relies on the current Werkzeug 3.x APIs, tests or startup will fail with
import/attribute errors or behavioral regressions (this is the concrete failure mode
expected after a breaking major upgrade).Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** requirements/base.in
**Line:** 22:22
**Comment:**
*Possible Bug: Missing upper bound for `werkzeug`: allowing unconstrained major upgrades (e.g., 4.x) can introduce breaking API changes; pin a safe upper bound to prevent accidental incompatible upgrades.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
requirements/base.in
Outdated
| # Security: GHSA-87hc-h4r5-73f7, multipart boundary fix | ||
| werkzeug>=3.1.5 | ||
| # Security: CVE-2025-68146 - TOCTOU symlink vulnerability | ||
| filelock>=3.20.3 |
There was a problem hiding this comment.
Suggestion: Missing upper bound for filelock: without an upper bound, future major releases could introduce incompatible behavior or regressions; add a conservative upper bound to maintain stability. [possible bug]
Severity Level: Major ⚠️
- ❌ CI dependency installation may select incompatible filelock.
- ⚠️ Build/CLI file-locking tasks may throw runtime errors.
- ⚠️ Developer local scripts relying on filelock may break.| filelock>=3.20.3 | |
| filelock>=3.20.3,<4.0.0 |
Steps of Reproduction ✅
1. Open `requirements/base.in` and inspect lines 23-24 where `filelock>=3.20.3` is
declared (`requirements/base.in:23-24`).
2. Install dependencies in a clean environment using that requirements file (e.g., `python
-m venv .venv && .venv/bin/pip install -r requirements/base.in`), allowing the resolver to
pick the latest available `filelock` major version.
3. If a future `filelock` 4.x is released and selected, run the test suite or run scripts
that use `filelock` (typical usage patterns: file-based locking in build/cli tasks). Any
incompatible API changes in 4.x will surface as failing tests or runtime exceptions when
those code paths execute.
4. Observe concrete failures in CI or local runs during lock/acquire operations calling
into `filelock` (manifesting as AttributeError/TypeError or changed semantics).Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** requirements/base.in
**Line:** 24:24
**Comment:**
*Possible Bug: Missing upper bound for `filelock`: without an upper bound, future major releases could introduce incompatible behavior or regressions; add a conservative upper bound to maintain stability.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
requirements/base.in
Outdated
| # Security: CVE-2025-68146 - TOCTOU symlink vulnerability | ||
| filelock>=3.20.3 | ||
| # Security: decompression bomb fix (required by aiohttp 3.13.3) | ||
| brotli>=1.2.0 |
There was a problem hiding this comment.
Suggestion: Missing upper bound for brotli: allowing unbounded major releases risks incompatible changes; pin an upper bound (e.g., <2.0.0) to avoid accidental breaking upgrades. [possible bug]
Severity Level: Major ⚠️
- ❌ CI dependency installation may pick incompatible brotli.
- ⚠️ HTTP compression/decompression operations may fail.
- ⚠️ Libraries requiring brotli (aiohttp) may exhibit regressions.| brotli>=1.2.0 | |
| brotli>=1.2.0,<2.0.0 |
Steps of Reproduction ✅
1. Inspect `requirements/base.in` at lines 25-26 where `brotli>=1.2.0` is added
(`requirements/base.in:25-26`).
2. In a clean environment, resolve/install dependencies using that file (`python -m venv
.venv && .venv/bin/pip install -r requirements/base.in`) allowing the resolver to pick the
latest brotli major.
3. If the resolver selects a future major (2.x) with breaking API changes, execute code
paths that depend on brotli compression/decompression (e.g., HTTP client libraries or
middleware that call into brotli). These calls will surface concrete exceptions or
behavioral changes when the API changes.
4. Observe failures in CI or runtime where brotli is used (decompression errors, missing
functions, or changed behavior), causing test or runtime regressions.Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** requirements/base.in
**Line:** 26:26
**Comment:**
*Possible Bug: Missing upper bound for `brotli`: allowing unbounded major releases risks incompatible changes; pin an upper bound (e.g., <2.0.0) to avoid accidental breaking upgrades.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #37552 +/- ##
===========================================
+ Coverage 0 66.58% +66.58%
===========================================
Files 0 643 +643
Lines 0 49050 +49050
Branches 0 5501 +5501
===========================================
+ Hits 0 32662 +32662
- Misses 0 15093 +15093
- Partials 0 1295 +1295
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
…check - Regenerated requirements using uv pip compile - Added bsd-2-clause to authorized licenses for pyasn1
Address review feedback: - werkzeug: add <4.0.0 upper bound - filelock: add <4.0.0 upper bound - brotli: add <2.0.0 upper bound - Fix werkzeug comment (path traversal, not multipart)
Code Review Agent Run #d8cf3bActionable Suggestions - 0Review Details
Bito Usage GuideCommands Type the following command in the pull request comment and save the comment.
Refer to the documentation for additional commands. Configuration This repository uses Documentation & Help AI Code Review powered by |
Adds platform-specific dependencies (jeepney, secretstorage) that are only present when compiling on Linux.
Code Review Agent Run #67b6e1Actionable Suggestions - 0Review Details
Bito Usage GuideCommands Type the following command in the pull request comment and save the comment.
Refer to the documentation for additional commands. Configuration This repository uses Documentation & Help AI Code Review powered by |
3 participants
Summary
Bump dependencies to address security vulnerabilities:
Changelog links
Test plan