[Snyk] Fix for 2 vulnerabilities#3892
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-LXML-16119103 - https://snyk.io/vuln/SNYK-PYTHON-PYTHONDOTENV-16115271
There was a problem hiding this comment.
Pull request overview
This PR updates services/core-api Python dependencies to address two Snyk-reported vulnerabilities by upgrading an existing dependency and adding an explicit dependency version constraint.
Changes:
- Upgraded
python-dotenvfrom0.10.3to1.2.2. - Added an explicit
lxmldependency constraint (>=6.1.0) to mitigate a vulnerability.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| urllib3==2.5.0 | ||
| elasticsearch==8.12.0 No newline at end of file | ||
| elasticsearch==8.12.0 | ||
| lxml>=6.1.0 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file |
There was a problem hiding this comment.
lxml is described as "pinned" but the specifier is >=6.1.0, which allows future major/minor upgrades and makes installs non-reproducible (especially since nearly all other dependencies in this file use exact == pins). Consider pinning to an exact version (or adding an upper bound) and adjust the comment to match the chosen constraint style.
| lxml>=6.1.0 # not directly required, pinned by Snyk to avoid a vulnerability | |
| lxml==6.1.0 # not directly required; pinned to avoid a vulnerability |
|
Snyk has created this PR to fix 2 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
services/core-api/requirements.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 XML External Entity (XXE) Injection