Upgrade docs site requirements to resolve CVE-2026-25645#276
Conversation
cigamit
added
documentation
There was a problem hiding this comment.
Pull request overview
Updates the docs site dependency tooling and pinned requirements to address a security vulnerability (CVE referenced in the PR title).
Changes:
- Simplifies the docs requirements updater to install the latest
pip-toolswithout apipupper bound. - Upgrades multiple pinned dependencies in
docs/docsite/requirements.txt. - Changes how
urllib3is constrained (now pinned exactly).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| docs/docsite/updater.sh | Updates the dependency update script to install pip-tools without pinning pip. |
| docs/docsite/requirements.txt | Bumps pinned docs dependencies (Sphinx, requests stack, etc.) and pins urllib3 to a specific version. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| # FIXME: https://github.com/jazzband/pip-tools/issues/1558 | ||
| ${venv}/bin/python3 -m pip install -U 'pip<22.0' pip-tools | ||
| ${venv}/bin/python3 -m pip install -U pip-tools |
There was a problem hiding this comment.
Installing an unpinned latest pip-tools can make docs builds non-reproducible and may break unexpectedly if pip-tools introduces behavior changes. Consider pinning pip-tools to a known-good version range (e.g., in a dedicated tooling constraints file) and, if the prior pip<22.0 workaround is no longer needed, leave a short comment explaining what changed (or link to the upstream fix) so future failures are easier to diagnose.
| ${venv}/bin/python3 -m pip install -U pip-tools | |
| # Pin pip-tools to a known-good range to keep docs builds reproducible. | |
| ${venv}/bin/python3 -m pip install -U 'pip-tools>=7.4,<8.0' |
| sphinxcontrib-serializinghtml==2.0.0 | ||
| # via sphinx | ||
| urllib3>=2.6.3 # CVE-2026-21441 | ||
| urllib3==2.6.3 |
There was a problem hiding this comment.
The PR title references CVE-2026-25645, but the diff only shows an urllib3 constraint change and removes the prior inline CVE note (previously referencing a different CVE). Please add a short note in the relevant place (typically the source requirements.in, not the compiled requirements.txt) clarifying which package/version change mitigates CVE-2026-25645 so the fixation is auditable.
| sphinxcontrib-serializinghtml==2.0.0 | ||
| # via sphinx | ||
| urllib3>=2.6.3 # CVE-2026-21441 | ||
| urllib3==2.6.3 |
There was a problem hiding this comment.
Pinning urllib3 exactly to 2.6.3 prevents automatically receiving future security/patch updates in the 2.6.x line. If the intent is to enforce a minimum patched version (CVE mitigation), prefer constraining this in the input file (requirements.in) as a direct dependency (so it remains stable across re-compiles) and consider a bounded range (e.g., >=2.6.3,<3) rather than an exact pin, unless you specifically require full lockfile-style immutability.
| urllib3==2.6.3 | |
| urllib3>=2.6.3,<3 |
No description provided.