[Snyk] Fix for 3 vulnerabilities #785
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-14157807 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-14157810 - https://snyk.io/vuln/SNYK-PYTHON-SQLPARSE-14157217
There was a problem hiding this comment.
Pull request overview
This PR addresses 3 security vulnerabilities by upgrading Django from 3.2.25 to 4.2.27 and sqlparse from 0.4.4 to 0.5.4 in the local development dependencies.
Key changes:
- Pins Django to version 4.2.27 or higher to fix two vulnerabilities (SNYK-PYTHON-DJANGO-14157807, SNYK-PYTHON-DJANGO-14157810)
- Pins sqlparse to version 0.5.4 or higher to fix one vulnerability (SNYK-PYTHON-SQLPARSE-14157217)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| django-coverage-plugin==3.1.0 # https://github.com/nedbat/django_coverage_plugin | ||
| pytest-django==4.7.0 # https://github.com/pytest-dev/pytest-django | ||
| tornado>=6.4.1 # not directly required, pinned by Snyk to avoid a vulnerability | ||
| django>=4.2.27 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
The comment 'not directly required' is misleading. Django is a direct dependency (used by django-extensions 3.2.3 as shown in the warning), and this version constraint may conflict with existing Django version specifications elsewhere in the requirements. Consider consolidating Django version requirements into a single, explicit entry in the appropriate requirements file (base.txt or production.txt) rather than using '>=', which could lead to unpredictable version resolution.
| django>=4.2.27 # not directly required, pinned by Snyk to avoid a vulnerability |
| django>=4.2.27 # not directly required, pinned by Snyk to avoid a vulnerability | ||
| sqlparse>=0.5.4 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
Using '>=' constraints for security fixes in a local development requirements file is problematic. This approach allows any future version (including potentially incompatible major versions like Django 5.x) and doesn't guarantee these constraints apply to production. Security fixes should use exact version pinning (==) or restricted ranges (e.g., >=4.2.27,<5.0) and be placed in the base or production requirements file to ensure they're enforced across all environments.
Snyk has created this PR to fix 3 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
requirements/local.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 SQL Injection
🦉 Allocation of Resources Without Limits or Throttling