[Snyk] Fix for 6 vulnerabilities

[makaronz]

User description

Snyk has created this PR to fix 6 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

• requirements.txt

⚠️ Warning

openai 1.53.1 requires jiter, which is not installed.
openai 1.53.1 has requirement typing-extensions<5,>=4.11, but you have typing-extensions 4.7.1.
flake8 5.0.4 has requirement importlib-metadata<4.3,>=1.1.0; python_version < "3.8", but you have importlib-metadata 6.7.0.
fastapi 0.103.2 requires starlette, which is not installed.
alembic 1.12.1 requires Mako, which is not installed.

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Out-of-bounds Read
🦉 Directory Traversal
🦉 Uncontrolled Recursion
🦉 More lessons are available in Snyk Learn

---

Summary by cubic

Fixes 6 Snyk-reported vulnerabilities by upgrading cryptography and pinning transitive deps. Also adds missing deps for alembic and fastapi to prevent runtime import errors.

• Dependencies
  • Upgrade cryptography to >=48.0.1.
  • Add pins: mako>=1.3.12, pyasn1>=0.6.3, starlette>=1.3.1.

^{Written for commit 997e553. Summary will update on new commits.}

---

CodeAnt-AI Description

Reduce known dependency vulnerabilities in the Python requirements

What Changed

• Updated the required cryptography version to a safer release.
• Added pinned versions for mako, pyasn1, and starlette so vulnerable transitive packages are replaced during install.

Impact

✅ Fewer security warnings during dependency scans
✅ Lower exposure to known package vulnerabilities
✅ Safer installs for apps using the Python requirements

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[makaronz]

This set of upgrades includes two high-risk major version updates for cryptography and starlette, and two low-risk minor updates.

High-Risk Upgrades

cryptography 45.0.7 → 48.0.1
This is a significant upgrade with multiple breaking changes across major versions:

• Python Version: Support for Python 3.8 was dropped in version 48.0.0. Python 3.9 or later is now required.
• OpenSSL Version: Support for OpenSSL 1.1.x was removed in version 47.0.0. OpenSSL 3.0.0 or a newer version is now a requirement.
• API Removals: Support for binary elliptic curves (SECT* classes) was removed in version 47.0.0.

Recommendation: Before merging, ensure your environment runs on Python 3.9+ and is linked against OpenSSL 3.0.0 or later. Review any usage of binary elliptic curves and migrate to alternatives.

starlette 0.27.0 → 1.3.1
This major version upgrade to 1.x introduces several breaking changes after a long period in pre-1.0 status:

• Python Version: Starlette 1.0 requires Python 3.9 or higher.
• GraphQL Support: Native GraphQL support has been removed. Projects using it must migrate to a third-party library like Strawberry or Graphene.
• File Uploads: The file argument for UploadFile is now required, which may affect file upload handling.

Recommendation: Verify your Python version is compatible. If you use Starlette's GraphQL features, you must refactor your implementation to use an external library. Test file upload endpoints thoroughly.

Low-Risk Upgrades

• mako 1.2.4 → 1.3.12: This is a minor update consisting of bug fixes and small enhancements with no documented breaking changes.
• pyasn1 0.5.1 → 0.6.3: This minor upgrade includes bug fixes and internal improvements without significant breaking API changes in this range.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
animatize	Ready	Preview, Comment	Jun 25, 2026 6:34pm
skill-deploy-imzhvg9jxo	Ready	Preview, Comment	Jun 25, 2026 6:34pm
skill-deploy-ky4jvc3ssr	Ready	Preview, Comment	Jun 25, 2026 6:34pm
skill-deploy-lzhxodnfwl	Ready	Preview, Comment	Jun 25, 2026 6:34pm

[codeant-ai]

CodeAnt AI is reviewing your PR.

[codeant-ai]

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 57ff5e35-2023-42dc-91ea-332037617957

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch snyk-fix-b517c2cefc3bc6e673b2396a601dab51

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[cubic-dev-ai]

No issues found across 1 file

_{Re-trigger cubic}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 997e5537f3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Remove inline comments from install_requires entries

These comments are safe for pip's requirements-file parser, but setup.py reads this same file with line.strip() and passes each line unchanged to install_requires (setup.py:16,46). In packaging contexts such as the tag-only PyPI workflow's python -m build (.github/workflows/deploy.yml:183-184), entries like mako>=1.3.12 # ... are invalid requirement specifiers, so building/installing the distribution fails before upload.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Align cryptography bump with supported Python versions

This new lower bound makes the package unresolvable on Python 3.8 even though the project still advertises python_requires='>=3.8' in setup.py:45. cryptography 48.0.0+ removed Python 3.8 support, so users installing the package on a claimed-supported 3.8 environment will fail dependency resolution; either keep a Python-version marker/compatible bound for 3.8 or raise the package's Python requirement.

Useful? React with 👍 / 👎.