Skip to content

[Snyk] Fix for 22 vulnerabilities #1261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
robertatakenaka wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Fix for 22 vulnerabilities #1261

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions requirements/base.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -145,3 +145,4 @@ feedparser==6.0.12
# Xlwt
# ------------------------------------------------------------------------------
xlwt==1.3.0
sqlparse>=0.5.4 # not directly required, pinned by Snyk to avoid a vulnerability
Copy link

Copilot AI Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description includes warnings about dependency incompatibilities that this change may introduce:

  • "flower 2.0.1 requires tornado, which is not installed"
  • "django-rosetta 0.10.1 has requirement Django>=4.2, but you have Django 3.2.25"
  • "django-prometheus 2.4.1 has requirement Django<6.0,>=4.2, but you have Django 3.2.25"
  • "celery 5.3.0 requires kombu, which is not installed"

While the warnings reference Django 3.2.25 (suggesting the analysis may be outdated since the file shows Django 5.2.7), the missing dependencies (tornado and kombu) could cause runtime issues. Please verify that:

  1. All required transitive dependencies are properly installed
  2. The dependency warnings are accurate for the current state of the project
  3. The project will function correctly after this change

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description states this change upgrades Django from 3.2.25 to 4.2.27 to fix 22 vulnerabilities (20 in Django, 2 in sqlparse). However, the actual diff only adds a sqlparse version constraint and does not include any Django upgrade. The requirements file currently shows Django 5.2.7 at line 19, which contradicts the PR description's claim of upgrading from Django 3.2.25.

This discrepancy suggests either:

  1. The PR description is incorrect or outdated
  2. The Django upgrade was already applied separately
  3. There's a mismatch between what Snyk detected and the actual codebase state

Please verify that the correct changes are being made and update either the PR description or the changes accordingly.

Copilot uses AI. Check for mistakes.
Loading