PR#39949
Conversation
…ulation Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
chore: downgrade requests from 2.33.0 to 2.28.2 for vulnerability simulation
…lict The pinned requests==2.28.2 requires charset-normalizer<3, conflicting with charset-normalizer==3.4.2 also pinned in requirements/base.txt. Bumping requests to 2.33.1 (which allows charset_normalizer<4,>=2) resolves the ResolutionImpossible error reported by pip-audit. Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
[DEVIN-AUTO] Fix CI Security Scan Failure (46490ffd)
Resolves security scan failures reported by pip-audit: - flask 2.3.3 -> 3.1.3 (CVE-2026-27205) - mako 1.3.11 -> 1.3.12 (CVE-2026-44307) Pins added to requirements/base.in and propagated through requirements/base.txt and requirements/development.txt via scripts/uv-pip-compile.sh. [DEVIN-AUTO] Fix CI Security Scan Failure (e88ad58f)
![codeant-ai-for-open-source[bot]](https://avatars.githubusercontent.com/u/151810221?s=60&v=4){kind=small}
| # jsonschema-path | ||
| # jsonschema-specifications | ||
| requests==2.33.0 | ||
| requests==2.28.2 |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
requirements/development.txt pins requests==2.28.2 while requirements/base.txt pins requests==2.33.1, violating requirements/README.md's guarantee that all shared library versions between base.txt and development.txt must fully match.
Suggestion: Regenerate requirements/development.txt from development.in using the documented uv pip compile flow, ensuring requests resolves to 2.33.1 to match base.txt, and verify that pip install -r requirements/development.txt succeeds.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** requirements/development.txt
**Line:** 869:869
**Comment:**
*HIGH: requirements/development.txt pins requests==2.28.2 while requirements/base.txt pins requests==2.33.1, violating requirements/README.md's guarantee that all shared library versions between base.txt and development.txt must fully match.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix[DEVIN-AUTO] fix(deps): bump flask and mako to patch CI security scan failures
|
The flagged issue is correct: requirements/development.txt pins requests==2.28.2 while requirements/base.txt pins requests==2.33.1, violating the README.md guarantee for matching shared library versions. To resolve, update the requests version in development.txt to 2.33.1. No other comments found in the PR. requirements/development.txt |
![bito-code-review[bot]](https://avatars.githubusercontent.com/in/1061978?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review Agent Run #593264
Actionable Suggestions - 1
-
requirements/base.in - 1
- CWE-1395: Vulnerable Dependency Version · Line 37-37
Review Details
-
Files reviewed - 3 · Commit Range:
0469d0b..ca3e6aa- requirements/base.in
- requirements/base.txt
- requirements/development.txt
-
Files skipped - 0
-
Tools
- Whispers (Secret Scanner) - ✔︎ Successful
- Detect-secrets (Secret Scanner) - ✔︎ Successful
Bito Usage Guide
Commands
Type the following command in the pull request comment and save the comment.
-
/review- Manually triggers a full AI review. -
/pause- Pauses automatic reviews on this pull request. -
/resume- Resumes automatic reviews. -
/resolve- Marks all Bito-posted review comments as resolved. -
/abort- Cancels all in-progress reviews.
Refer to the documentation for additional commands.
Configuration
This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.
Documentation & Help
AI Code Review powered by
| # Security: CVE-2024-52338 (CRITICAL) - Deserialization of untrusted data in IPC/Parquet readers | ||
| pyarrow>=20.0.0,<21.0.0 | ||
| # Security: CVE-2026-27459 - pyopenssl certificate validation | ||
| pyopenssl>=26.0.0,<27.0.0 |
There was a problem hiding this comment.
This change downgrades the requests library to versions >=2.28.0, which includes vulnerable versions for CVE-2026-25645 (fixed in 2.33.0+). Although the project does not appear to use the affected extract_zipped_paths function, maintaining secure dependency versions is best practice. The security comment suggests this is a fix, but it has the opposite effect. (CWE-1395)
Code suggestion
Check the AI-generated fix before applying
| pyopenssl>=26.0.0,<27.0.0 | |
| requests>=2.33.0,<3.0.0 |
Code Review Run #593264
Should Bito avoid suggestions like this for future reviews? (Manage Rules)
- Yes, avoid them
…an conflict The pinned charset-normalizer==3.4.2 conflicted with the resolved version required transitively via requests==2.33.1 (line 366 of requirements/base.txt), causing pip-audit to report a ResolutionImpossible error. Bumping charset-normalizer to 3.4.7 (still satisfying requests' <4,>=2 spec) restores a clean dependency resolution. development.txt updated to keep the pin in sync with base.txt (it is constrained against base-constraint.txt). [DEVIN-AUTO] Fix CI Security Scan Failure (c0bcbc84) Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
fix(deps): bump charset-normalizer to 3.4.7 to resolve CI security scan conflict
Updated the security scanner workflow to improve vulnerability detection and reporting.
github-actions
Bot
added
the
github_actions
✅ Deploy Preview for superset-docs-preview ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
…lict The CI security scanner (pip-audit) failed because requests==2.28.1 constrains charset-normalizer<3, conflicting with the pinned charset-normalizer==3.4.7 in requirements/base.txt. Bumping requests to 2.32.4 (which supports charset-normalizer<4) resolves the dependency conflict and also addresses CVE-2024-35195 (Session.verify=False) in older requests versions. [DEVIN-AUTO] Fix CI Security Scan Failure (132d1812) Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
fix(deps): bump requests to 2.32.4 to resolve charset-normalizer conflict
|
hi there, I appreciate the enthusiasm but honestly, granting AI agents for continuously mitigating of security vulnerabilities is a ticking time bomb both financially and logically. Plus, bumping major version for critical lib like Flask isn't as easy as it appears to be. I'd be closing this off when there are less items bound into 1 PR and more description to give us heads-up on the intention. |
2 participants
SUMMARY
BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
TESTING INSTRUCTIONS
ADDITIONAL INFORMATION