[Snyk] Security upgrade urllib3 from 1.25.11 to 2.6.3 #326
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-URLLIB3-14896210
There was a problem hiding this comment.
Pull request overview
This PR attempts to address a security vulnerability by upgrading urllib3 from 1.25.11 to 2.6.3. However, the proposed change introduces multiple critical issues that will prevent the application from functioning correctly.
Changes:
- Adds urllib3>=2.6.3 as an explicit dependency to fix a Snyk-identified security vulnerability
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| selenium==3.141.0 | ||
| termcolor==1.1.0 No newline at end of file | ||
| termcolor==1.1.0 | ||
| urllib3>=2.6.3 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file |
There was a problem hiding this comment.
The constraint should use a specific version rather than a minimum version operator. Using ">=2.6.3" allows pip to install any version 2.6.3 or higher, which could introduce future breaking changes or unpredictable behavior. Given that this is a security fix for specific dependencies (requests 2.22.0 and selenium 3.141.0), it would be safer to pin to a specific version like "urllib3==2.6.3" or use a constrained range like "urllib3>=2.6.3,<3.0" to prevent unexpected major version upgrades.
| urllib3>=2.6.3 # not directly required, pinned by Snyk to avoid a vulnerability | |
| urllib3>=2.6.3,<3.0 # not directly required, pinned by Snyk to avoid a vulnerability |
| @@ -3,4 +3,5 @@ chromedriver-binary==81.0.4044.69.0 | |||
| colorama==0.4.3 | |||
| requests==2.22.0 | |||
There was a problem hiding this comment.
The requests version 2.22.0 is from 2019 and has known security vulnerabilities. Since this PR is addressing security issues, requests should also be upgraded to a secure version (2.31.0 or later) that is compatible with urllib3 2.x. Keeping requests at 2.22.0 while upgrading urllib3 creates both compatibility issues and leaves known security vulnerabilities unpatched.
| requests==2.22.0 | |
| requests>=2.31.0 |
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
codeforcesChecker/requirements.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.