Skip to content

chore(pip): update deps #93

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

chore(pip): update deps #93

wants to merge 2 commits into from

Conversation

@avivkeller
Copy link

@avivkeller avivkeller commented Aug 12, 2025

Resolves the following code scanning alerts via pip-compile requirements.in:

┌──────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├──────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ aiohttp  │ CVE-2024-52304 │ MEDIUM   │ fixed  │ 3.10.5            │ 3.10.11       │ aiohttp: aiohttp vulnerable to request smuggling due to      │
│          │                │          │        │                   │               │ incorrect parsing of chunk...                                │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-52304                   │
│          ├────────────────┼──────────┤        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-53643 │ LOW      │        │                   │ 3.12.14       │ aiohttp: AIOHTTP HTTP Request/Response Smuggling             │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-53643                   │
├──────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ black    │ CVE-2024-21503 │ MEDIUM   │        │ 23.3.0            │ 24.3.0        │ psf/black: ReDoS via the lines_with_leading_tabs_expanded()  │
│          │                │          │        │                   │               │ function in strings.py file                                  │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-21503                   │
├──────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ requests │ CVE-2024-35195 │          │        │ 2.31.0            │ 2.32.0        │ requests: subsequent requests to the same host ignore cert   │
│          │                │          │        │                   │               │ verification                                                 │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-35195                   │
│          ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│          │ CVE-2024-47081 │          │        │                   │ 2.32.4        │ requests: Requests vulnerable to .netrc credentials leak via │
│          │                │          │        │                   │               │ malicious URLs                                               │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-47081                   │
├──────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ urllib3  │ CVE-2025-50181 │          │        │ 2.2.3             │ 2.5.0         │ urllib3: urllib3 redirects are not disabled when retries are │
│          │                │          │        │                   │               │ disabled on PoolManager...                                   │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-50181                   │
│          ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│          │ CVE-2025-50182 │          │        │                   │               │ urllib3: urllib3 does not control redirects in browsers and  │
│          │                │          │        │                   │               │ Node.js                                                      │
│          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-50182                   │
└──────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

@socket-security
Copy link

socket-security bot commented Aug 12, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedmypy@​1.4.1 ⏵ 1.17.175 +1100100100100
Updateddill@​0.3.8 ⏵ 0.4.079 -7100100100100
Updatedblack@​23.3.0 ⏵ 25.1.087 -2100100100100
Updatedckzg@​2.0.1 ⏵ 2.1.110010089100100
Updatedbitarray@​2.9.2 ⏵ 3.6.193 +1100100100100
Updatedclick@​8.1.7 ⏵ 8.2.196 +2100100100100
Updatedaiohttp@​3.10.5 ⏵ 3.12.1597100100100100
Updatedisort@​5.13.2 ⏵ 6.0.197 +1100100100100
Updatedastroid@​3.2.4 ⏵ 3.3.119910010010070
Updatedgreenlet@​3.1.1 ⏵ 3.2.498 +1100100100100
Updatedcharset-normalizer@​3.3.2 ⏵ 3.4.399100100100100
Updatedcertifi@​2024.8.30 ⏵ 2025.8.3100 +110010010070
Updateddune-client@​1.7.5 ⏵ 1.7.1099 +5100100100100 +1
Updatedpackaging@​24.1 ⏵ 25.099100100100100
Updatedcytoolz@​0.12.3 ⏵ 1.0.199 +1100100100100
Updatedaiosignal@​1.3.1 ⏵ 1.4.0100100100 +2100100
Updatedaiohappyeyeballs@​2.4.0 ⏵ 2.6.1100 +1100100100100
Updatedeth-utils@​5.0.0 ⏵ 5.3.0100 +1100100100100
Updatedattrs@​24.2.0 ⏵ 25.3.0100 +1100100100100
Updatedplatformdirs@​4.3.6 ⏵ 4.3.8100 +1100100100100
Updatedeth-account@​0.13.3 ⏵ 0.13.7100 +1100100100100
Updateddeprecated@​1.2.14 ⏵ 1.2.18100 +1100100100100
Addedcolorama@​0.4.6100100100100100
Updatedfrozenlist@​1.4.1 ⏵ 1.7.0100100100100100
Updatedmultidict@​6.1.0 ⏵ 6.6.4100 +1100100100100
Updatediniconfig@​2.0.0 ⏵ 2.1.0100 +1100100100100
Updatedeth-keys@​0.5.1 ⏵ 0.7.0100100100100100
Updatedpluggy@​1.5.0 ⏵ 1.6.0100100100100100
Updatedeth-typing@​5.0.0 ⏵ 5.2.1100 +1100100100100
Updatedeth-abi@​5.1.0 ⏵ 5.2.0100100100100100
Updatedmarshmallow@​3.22.0 ⏵ 3.26.1100 +1100100100100
Addedpropcache@​0.3.2100100100100100
See 4 more rows in the dashboard

View full report

@avivkeller
Copy link
Author

avivkeller commented Aug 12, 2025

https://github.com/cowprotocol/token-imbalances/actions/runs/16908881890/job/47905077936?pr=93#step:11:1524 (is it related?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@avivkeller