[Snyk] Fix for 4 vulnerabilities#90
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-BOKEH-14894275 - https://snyk.io/vuln/SNYK-PYTHON-TORCH-13052805 - https://snyk.io/vuln/SNYK-PYTHON-URLLIB3-14896210 - https://snyk.io/vuln/SNYK-PYTHON-WERKZEUG-14908843
There was a problem hiding this comment.
Pull request overview
This PR attempts to fix 4 security vulnerabilities identified by Snyk by upgrading dependencies in requirements_tests.txt. However, the automated fixes specify package versions that likely do not exist, making this PR non-functional as-is.
Changes:
- Upgrades torch from
>=1.5to>=2.9.0(likely non-existent version) - Upgrades bokeh from
==1.4.0to==3.8.2(likely non-existent version) - Adds urllib3 constraint
>=2.6.3(likely non-existent version) - Adds werkzeug constraint
>=3.1.5
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -1,4 +1,4 @@ | |||
| torch>=1.5 | |||
| torch>=2.9.0 | |||
There was a problem hiding this comment.
This creates an inconsistency between requirements.txt and requirements_tests.txt. The main requirements.txt specifies torch>=1.5 while this test requirements file now specifies torch>=2.9.0. This means the test environment would require a different (and potentially non-existent) version than the production environment. These version constraints should be aligned, or if tests require a newer version, this should be clearly documented and verified to be compatible with the codebase.
| torch>=2.9.0 | |
| torch>=1.5 |
| inflect | ||
| pysbd | ||
| bokeh==1.4.0 | ||
| bokeh==3.8.2 |
There was a problem hiding this comment.
This creates an inconsistency between requirements.txt and requirements_tests.txt. The main requirements.txt specifies bokeh==1.4.0 (exact version) while this test requirements file now specifies bokeh==3.8.2. This is a major version jump (1.4 to 3.8) that likely contains breaking changes. The version should be consistent across both files unless there's a specific reason for the test environment to use a different version. Additionally, bokeh 3.8.2 may not exist and should be verified.
| bokeh==3.8.2 | |
| bokeh==1.4.0 |
Snyk has created this PR to fix 4 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
requirements_tests.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.