[Snyk] Security upgrade idna from 2.10 to 3.7

[deargvp1]

Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

• composer/airflow_1_samples/requirements.txt

⚠️ Warning

equests 2.23.0 has requirement urllib3!=1.25.0,!=1.25.1,<1.26,>=1.21.1, but you have urllib3 2.0.7.
requests 2.23.0 has requirement idna<3,>=2.5, but you have idna 3.10.
pandas-gbq 0.21.0 has requirement google-api-core<3.0.0dev,>=2.10.2, but you have google-api-core 1.34.1.
pandas-gbq 0.21.0 has requirement google-auth>=2.13.0, but you have google-auth 1.35.0.
opentelemetry-api 1.22.0 has requirement importlib-metadata<7.0,>=6.0, but you have importlib-metadata 2.1.3.
grpcio-status 1.62.3 has requirement protobuf>=4.21.6, but you have protobuf 3.20.3.
google-cloud-workflows 1.20.0 has requirement google-auth!=2.24.0,!=2.25.0,<3.0.0,>=2.14.1, but you have google-auth 1.35.0.
google-cloud-tasks 2.21.0 has requirement google-auth!=2.24.0,!=2.25.0,<3.0.0,>=2.14.1, but you have google-auth 1.35.0.
google-cloud-tasks 2.21.0 has requirement grpc-google-iam-v1<1.0.0,>=0.14.0, but you have grpc-google-iam-v1 0.12.7.
google-cloud-redis 2.20.0 has requirement google-auth!=2.24.0,!=2.25.0,<3.0.0,>=2.14.1, but you have google-auth 1.35.0.
google-cloud-pubsub 2.34.0 has requirement google-auth<3.0.0,>=2.14.1, but you have google-auth 1.35.0.
google-cloud-os-login 2.19.0 has requirement google-auth!=2.24.0,!=2.25.0,<3.0.0,>=2.14.1, but you have google-auth 1.35.0.
google-cloud-monitoring 2.29.1 has requirement google-auth!=2.24.0,!=2.25.0,<3.0.0,>=2.14.1, but you have google-auth 1.35.0.
google-cloud-memcache 1.14.0 has requirement google-auth!=2.24.0,!=2.25.0,<3.0.0,>=2.14.1, but you have google-auth 1.35.0.
google-cloud-kms 2.24.2 has requirement google-auth!=2.24.0,!=2.25.0,<3.0.0dev,>=2.14.1, but you have google-auth 1.35.0.
google-cloud-dataproc 2.6.2 has requirement packaging<22.0.0dev,>=14.3, but you have packaging 24.0.
google-cloud-datacatalog 3.29.0 has requirement google-auth!=2.24.0,!=2.25.0,<3.0.0,>=2.14.1, but you have google-auth 1.35.0.
google-cloud-datacatalog 3.29.0 has requirement grpc-google-iam-v1<1.0.0,>=0.14.0, but you have grpc-google-iam-v1 0.12.7.
google-cloud-bigquery 3.30.0 has requirement google-api-core[grpc]<3.0.0dev,>=2.11.1, but you have google-api-core 1.34.1.
google-cloud-bigquery 3.30.0 has requirement google-auth<3.0.0dev,>=2.14.1, but you have google-auth 1.35.0.
google-cloud-bigquery-storage 2.36.2 has requirement google-auth!=2.24.0,!=2.25.0,<3.0.0,>=2.14.1, but you have google-auth 1.35.0.
google-cloud-bigquery-datatransfer 3.21.0 has requirement google-auth!=2.24.0,!=2.25.0,<3.0.0,>=2.14.1, but you have google-auth 1.35.0.
google-cloud-automl 2.18.1 has requirement google-auth!=2.24.0,!=2.25.0,<3.0.0,>=2.14.1, but you have google-auth 1.35.0.
google-cloud-appengine-logging 1.8.0 has requirement google-auth!=2.24.0,!=2.25.0,<3.0.0,>=2.14.1, but you have google-auth 1.35.0.
google-auth-oauthlib 1.3.0 has requirement google-auth!=2.43.0,!=2.44.0,!=2.45.0,<3.0.0,>=2.15.0, but you have google-auth 1.35.0.
google-ads 7.0.0 has requirement google-auth-oauthlib<1.0.0,>=0.3.0, but you have google-auth-oauthlib 1.3.0.
google-ads 7.0.0 has requirement PyYAML<6.0,>=5.1, but you have PyYAML 6.0.1.
Flask 1.1.4 has requirement itsdangerous<2.0,>=0.24, but you have itsdangerous 2.1.2.
Flask-JWT-Extended 3.25.1 has requirement PyJWT<2.0,>=1.6.4, but you have PyJWT 2.8.0.
Flask-AppBuilder 2.3.4 has requirement email-validator<2,>=1.0.5, but you have email-validator 2.1.0.
apache-airflow 1.10.15 requires thrift, which is not installed.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Resource Exhaustion

---

Summary by cubic

Pins idna>=3.7 in composer/airflow_1_samples/requirements.txt to fix vulnerability SNYK-PYTHON-IDNA-6597975. This hardens the Airflow 1 sample environment against known idna issues.

• Dependencies

  • Added idna>=3.7 to force a secure version.

• Migration

  • requests==2.23.0 requires idna<3. Upgrade requests to >=2.31.0 to resolve the conflict.
  • Confirm your requests version supports your current urllib3 (e.g., requests>=2.31.0 works with urllib3 2.x).

^{Written for commit f9b97d3. Summary will update on new commits. Review in cubic}

[stackblitz-staging]

Run & review this pull request in StackBlitz Codeflow.

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 9f054111-5100-4edc-9a4e-f12cfde2e748

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch snyk-fix-975d0f01267dd6660780eb8aaca1ee03

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request adds idna>=3.7 to the requirements.txt file to address a security vulnerability. The reviewer pointed out that this change creates a dependency conflict with requests==2.23.0, which requires idna<3. To fix this, the reviewer suggests upgrading requests to at least 2.25.0, updating constraints.txt, and using a strict version pin for idna.

[gemini-code-assist]

Upgrading idna to >=3.7 creates a dependency conflict with requests==2.23.0 (pinned in constraints.txt at line 289), which requires idna<3. This will cause installation failures. To fix the vulnerability, requests must also be upgraded to at least 2.25.0. Furthermore, constraints.txt (where idna is currently pinned at version 2.8 on line 163) must be updated to match this change to maintain consistency, as required by the instruction on line 1 of this file. For consistency with other entries in this file, consider using a strict version pin.

idna==3.7 # not directly required, pinned by Snyk to avoid a vulnerability

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="composer/airflow_1_samples/requirements.txt">

<violation number="1" location="composer/airflow_1_samples/requirements.txt:8">
P1: This `idna>=3.7` pin conflicts with `requests==2.23.0` which requires `idna<3,>=2.5`. pip will refuse to install (or produce a broken environment) because the constraints are mutually exclusive. To fix the vulnerability without breaking installation, `requests` must also be upgraded to at least `2.25.0` (which relaxes the `idna<3` upper bound).</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Re-trigger cubic}