Update Vulnerable Dependency

[thealphadollar]

As per github the following dependencies need to be updated and are currently vulnerable:

• requests

[xypnox]

Hi @thealphadollar, what is the version of requests that GitHub is recommending to update, or should we directly jump to the latest available one?

[thealphadollar]

This is a very minial issue and I've saved it for a beginner.

Jump to the latest, as an answer to your question.

[xypnox]

I see, but this vulnerability has been there since the previous year I think this is time to update.

[thealphadollar]

Okay, cool.

Please go ahead and send a PR.

Complete your Hacktoberfest :P

[xypnox]

While updating the dependencies, pipenv pops up this error:

Pipfile.lock (c687f2) out of date, updating to (3a19d0)…
Locking [dev-packages] dependencies…
✔ Success!
Locking [packages] dependencies…
✘ Locking Failed!
[pipenv.exceptions.ResolutionFailure]:   File "/home/xypnox/.local/lib/python3.6/site-packages/pipenv/resolver.py", line 69, in resolve
[pipenv.exceptions.ResolutionFailure]:       req_dir=requirements_dir
[pipenv.exceptions.ResolutionFailure]:   File "/home/xypnox/.local/lib/python3.6/site-packages/pipenv/utils.py", line 726, in resolve_deps
[pipenv.exceptions.ResolutionFailure]:       req_dir=req_dir,
[pipenv.exceptions.ResolutionFailure]:   File "/home/xypnox/.local/lib/python3.6/site-packages/pipenv/utils.py", line 480, in actually_resolve_deps
[pipenv.exceptions.ResolutionFailure]:       resolved_tree = resolver.resolve()
[pipenv.exceptions.ResolutionFailure]:   File "/home/xypnox/.local/lib/python3.6/site-packages/pipenv/utils.py", line 395, in resolve
[pipenv.exceptions.ResolutionFailure]:       raise ResolutionFailure(message=str(e))
[pipenv.exceptions.ResolutionFailure]:       ResolutionFailure: ERROR: ERROR: Could not find a version that matches certifi==2015.11.20.1,>=2017.4.17
[pipenv.exceptions.ResolutionFailure]:       Tried: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 1.0.0, 1.0.1, 1.0.1, 14.5.14, 2015.4.28, 2015.4.28, 2015.9.6, 2015.9.6, 2015.9.6.1, 2015.9.6.1, 2015.9.6.2, 2015.9.6.2, 2015.11.20, 2015.11.20, 2015.11.20.1, 2015.11.20.1, 2016.2.28, 2016.2.28, 2016.8.2, 2016.8.2, 2016.8.8, 2016.8.8, 2016.8.31, 2016.8.31, 2016.9.26, 2016.9.26, 2017.1.23, 2017.1.23, 2017.4.17, 2017.4.17, 2017.7.27, 2017.7.27, 2017.7.27.1, 2017.7.27.1, 2017.11.5, 2017.11.5, 2018.1.18, 2018.1.18, 2018.4.16, 2018.4.16, 2018.8.13, 2018.8.13, 2018.8.24, 2018.8.24, 2018.10.15, 2018.10.15, 2018.11.29, 2018.11.29, 2019.3.9, 2019.3.9, 2019.6.16, 2019.6.16, 2019.9.11, 2019.9.11
[pipenv.exceptions.ResolutionFailure]: Warning: Your dependencies could not be resolved. You likely have a mismatch in your sub-dependencies.
  First try clearing your dependency cache with $ pipenv lock --clear, then try the original command again.
 Alternatively, you can use $ pipenv install --skip-lock to bypass this mechanism, then run $ pipenv graph to inspect the situation.
  Hint: try $ pipenv lock --pre if it is a pre-release dependency.
ERROR: ERROR: Could not find a version that matches certifi==2015.11.20.1,>=2017.4.17
Tried: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 1.0.0, 1.0.1, 1.0.1, 14.5.14, 2015.4.28, 2015.4.28, 2015.9.6, 2015.9.6, 2015.9.6.1, 2015.9.6.1, 2015.9.6.2, 2015.9.6.2, 2015.11.20, 2015.11.20, 2015.11.20.1, 2015.11.20.1, 2016.2.28, 2016.2.28, 2016.8.2, 2016.8.2, 2016.8.8, 2016.8.8, 2016.8.31, 2016.8.31, 2016.9.26, 2016.9.26, 2017.1.23, 2017.1.23, 2017.4.17, 2017.4.17, 2017.7.27, 2017.7.27, 2017.7.27.1, 2017.7.27.1, 2017.11.5, 2017.11.5, 2018.1.18, 2018.1.18, 2018.4.16, 2018.4.16, 2018.8.13, 2018.8.13, 2018.8.24, 2018.8.24, 2018.10.15, 2018.10.15, 2018.11.29, 2018.11.29, 2019.3.9, 2019.3.9, 2019.6.16, 2019.6.16, 2019.9.11, 2019.9.11
There are incompatible versions in the resolved dependencies.
[pipenv.exceptions.ResolutionFailure]:       req_dir=requirements_dir
[pipenv.exceptions.ResolutionFailure]:   File "/home/xypnox/.local/lib/python3.6/site-packages/pipenv/utils.py", line 726, in resolve_deps
[pipenv.exceptions.ResolutionFailure]:       req_dir=req_dir,
[pipenv.exceptions.ResolutionFailure]:   File "/home/xypnox/.local/lib/python3.6/site-packages/pipenv/utils.py", line 480, in actually_resolve_deps
[pipenv.exceptions.ResolutionFailure]:       resolved_tree = resolver.resolve()
[pipenv.exceptions.ResolutionFailure]:   File "/home/xypnox/.local/lib/python3.6/site-packages/pipenv/utils.py", line 395, in resolve
[pipenv.exceptions.ResolutionFailure]:       raise ResolutionFailure(message=str(e))
[pipenv.exceptions.ResolutionFailure]:       ResolutionFailure: ERROR: ERROR: Could not find a version that matches certifi==2015.11.20.1,>=2017.4.17
[pipenv.exceptions.ResolutionFailure]:       Tried: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 1.0.0, 1.0.1, 1.0.1, 14.5.14, 2015.4.28, 2015.4.28, 2015.9.6, 2015.9.6, 2015.9.6.1, 2015.9.6.1, 2015.9.6.2, 2015.9.6.2, 2015.11.20, 2015.11.20, 2015.11.20.1, 2015.11.20.1, 2016.2.28, 2016.2.28, 2016.8.2, 2016.8.2, 2016.8.8, 2016.8.8, 2016.8.31, 2016.8.31, 2016.9.26, 2016.9.26, 2017.1.23, 2017.1.23, 2017.4.17, 2017.4.17, 2017.7.27, 2017.7.27, 2017.7.27.1, 2017.7.27.1, 2017.11.5, 2017.11.5, 2018.1.18, 2018.1.18, 2018.4.16, 2018.4.16, 2018.8.13, 2018.8.13, 2018.8.24, 2018.8.24, 2018.10.15, 2018.10.15, 2018.11.29, 2018.11.29, 2019.3.9, 2019.3.9, 2019.6.16, 2019.6.16, 2019.9.11, 2019.9.11
[pipenv.exceptions.ResolutionFailure]: Warning: Your dependencies could not be resolved. You likely have a mismatch in your sub-dependencies.
  First try clearing your dependency cache with $ pipenv lock --clear, then try the original command again.
 Alternatively, you can use $ pipenv install --skip-lock to bypass this mechanism, then run $ pipenv graph to inspect the situation.
  Hint: try $ pipenv lock --pre if it is a pre-release dependency.
ERROR: ERROR: Could not find a version that matches certifi==2015.11.20.1,>=2017.4.17
Tried: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 1.0.0, 1.0.1, 1.0.1, 14.5.14, 2015.4.28, 2015.4.28, 2015.9.6, 2015.9.6, 2015.9.6.1, 2015.9.6.1, 2015.9.6.2, 2015.9.6.2, 2015.11.20, 2015.11.20, 2015.11.20.1, 2015.11.20.1, 2016.2.28, 2016.2.28, 2016.8.2, 2016.8.2, 2016.8.8, 2016.8.8, 2016.8.31, 2016.8.31, 2016.9.26, 2016.9.26, 2017.1.23, 2017.1.23, 2017.4.17, 2017.4.17, 2017.7.27, 2017.7.27, 2017.7.27.1, 2017.7.27.1, 2017.11.5, 2017.11.5, 2018.1.18, 2018.1.18, 2018.4.16, 2018.4.16, 2018.8.13, 2018.8.13, 2018.8.24, 2018.8.24, 2018.10.15, 2018.10.15, 2018.11.29, 2018.11.29, 2019.3.9, 2019.3.9, 2019.6.16, 2019.6.16, 2019.9.11, 2019.9.11
There are incompatible versions in the resolved dependencies.

It seems there is a conflict in the version for the package certifi

pipenv lock --clear doesn't seem to help. The pipenv graph output is given below:

beautifulsoup4==4.4.1
docopt==0.4.0
futures==3.0.3
pymongo==3.1.1
python-dotenv==0.5.1
  - click [required: >=5.0, installed: 7.0]
  - ordereddict [required: Any, installed: 1.1]
requests==2.22.0
  - certifi [required: >=2017.4.17, installed: 2019.9.11]
  - chardet [required: >=3.0.2,<3.1.0, installed: 3.0.4]
  - idna [required: >=2.5,<2.9, installed: 2.8]
  - urllib3 [required: >=1.21.1,<1.26,!=1.25.1,!=1.25.0, installed: 1.25.6]
tornado==4.3
  - backports-abc [required: >=0.4, installed: 0.4]
  - backports.ssl-match-hostname [required: Any, installed: 3.4.0.2]
  - certifi [required: Any, installed: 2019.9.11]
  - singledispatch [required: Any, installed: 3.4.0.3]
    - six [required: Any, installed: 1.10.0]

[thealphadollar]

It doesn't make much difference. Just add it and send the PR.

[proffapt]

This issue is solved. Closing it.