[Snyk] Security upgrade urllib3 from 1.26.20 to 2.6.3 #526
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-URLLIB3-14896210
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fc6a3d4cfd
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| slack_sdk==3.22.0 | ||
| python-hcl2==4.3.1 | ||
| pre-commit>=3.5.0 | ||
| urllib3>=2.6.3 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
In smoketests/requirements.txt you now require urllib3>=2.6.3, but botocore==1.31.67 (and thus boto3==1.28.57) declares urllib3<2.0, so this makes the dependency set unsatisfiable and pip install -r requirements.txt (run during the smoketests image build in smoketests/Dockerfile) will fail with a resolver error. This only occurs in environments that build the smoketests container or install these requirements, but it will block those workflows unless you also bump botocore/boto3 to versions compatible with urllib3 2.x or relax the urllib3 floor.
Useful? React with 👍 / 👎.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| slack_sdk==3.22.0 | ||
| python-hcl2==4.3.1 | ||
| pre-commit>=3.5.0 | ||
| urllib3>=2.6.3 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
urllib3 2.6.3 incompatible with pinned botocore version
High Severity
The pinned botocore==1.31.67 has version constraints on urllib3 that likely don't allow version 2.6.3. Older botocore versions from late 2023 typically required urllib3<2.1 or similar upper bounds. The Snyk warning in the PR description confirms this conflict: "botocore 1.31.67 requires urllib3, which is not installed." This creates a dependency conflict that would cause pip installation failures or runtime issues with the AWS SDK (boto3/botocore). Either botocore needs to be upgraded to a version that supports urllib3 2.x, or this urllib3 upgrade cannot be applied.
Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
smoketests/requirements.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
👩💻 Set who automatically gets assigned
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
Note
Adds a security pin for
urllib3in smoketests dependencies to remediate a known vulnerability.urllib3>=2.6.3tosmoketests/requirements.txt; no other files changedWritten by Cursor Bugbot for commit fc6a3d4. This will update automatically on new commits. Configure here.