[Snyk] Fix for 3 vulnerabilities

[nn6n]

Snyk has created this PR to fix 3 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

• test_requirements/requirements_310_core.txt

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Resource Exhaustion

[restack-app]

No applications have been configured for previews targeting branch: master. To do so go to restack console and configure your applications for previews.

[gemini-code-assist]

Hello @nn6n, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

Summary of Changes

Hello, gemini-code-assist here, providing a summary of this pull request. This PR was automatically generated by Snyk with the clear objective of addressing three specific security vulnerabilities found in the project's Python dependencies. The proposed changes involve updating certain package versions within the test requirements file to remediate these issues.

Highlights

• Vulnerability Remediation: The primary purpose of this PR is to fix 3 security vulnerabilities identified by Snyk in the project's dependencies.
• Dependency Updates: The fix is implemented by updating the versions of specific packages listed in the test requirements file.

Changelog

• test_requirements/requirements_310_core.txt
  • Upgraded the requests package from version 2.25.1 to 2.32.2.
  • Added a pinned version of the idna package (>=3.7) as recommended by Snyk to avoid a specific vulnerability, noting it's not a direct requirement but a security pin.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

Dependencies shift,
Security scans reveal,
Updates make code safe.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request, automatically generated by Snyk, aims to fix three security vulnerabilities by updating requests and idna package versions in test_requirements/requirements_310_core.txt. The changes within this specific file, upgrading requests to 2.32.2 and pinning idna to >=3.7, are positive steps towards mitigating the identified risks (SNYK-PYTHON-IDNA-6597975, SNYK-PYTHON-REQUESTS-5595532, SNYK-PYTHON-REQUESTS-6928867).

However, a significant concern is that these updates appear to be applied only to the Python 3.10 core test requirements file. Other requirements files within the repository (e.g., test_requirements/requirements_38_core.txt, test_requirements/requirements_312_core.txt, and test_requirements/requirements_310_optional.txt) still reference the older, vulnerable version of requests (2.25.1) and do not include the idna pin. This inconsistency could mean that the project remains exposed to these vulnerabilities in other test environments or configurations.

It's crucial to investigate why these changes were limited to a single file and to ensure these security updates are applied consistently across all relevant requirements files to fully address the vulnerabilities.

Summary of Findings

• Inconsistent Dependency Updates Across Test Environments: The security fixes for requests (to version 2.32.2) and idna (pinning to >=3.7) have only been applied to test_requirements/requirements_310_core.txt. Other requirements files, such as test_requirements/requirements_38_core.txt, test_requirements/requirements_312_core.txt, and test_requirements/requirements_310_optional.txt, still use the older, potentially vulnerable version of requests (2.25.1) and lack the idna pin. This inconsistency means the project may still be exposed to the Snyk-identified vulnerabilities in those environments.

Merge Readiness

While the changes made to test_requirements/requirements_310_core.txt are beneficial for security, this pull request should not be merged in its current state. The primary reason is the inconsistent application of security fixes: vulnerabilities are addressed in one test environment (Python 3.10 core) but potentially remain in others (Python 3.8, 3.12, Python 3.10 optional).

I recommend that these security updates for requests and idna be applied consistently across all relevant requirements*.txt files to ensure comprehensive mitigation of the identified vulnerabilities. Until this consistency is achieved, the project remains partially exposed.

As a reviewer, I am unable to approve the pull request. Please ensure these concerns regarding inconsistent updates are addressed and the changes are thoroughly reviewed before merging.

[gemini-code-assist]

This update to requests==2.32.2 is a positive step towards addressing the identified vulnerabilities. The related addition of idna>=3.7 (on line 4) is also a good measure to ensure a specific idna vulnerability is fixed.

However, a key concern is that these important security updates appear to be confined to this requirements_310_core.txt file. I've observed that other requirements files within the test_requirements/ directory (such as requirements_38_core.txt, requirements_312_core.txt, and requirements_310_optional.txt) still specify the older requests==2.25.1 and lack the idna>=3.7 pin.

Could you clarify if these vulnerabilities (Snyk issues: SNYK-PYTHON-IDNA-6597975, SNYK-PYTHON-REQUESTS-5595532, SNYK-PYTHON-REQUESTS-6928867) are intended to be fixed across all relevant test environments? If so, these other files would also need similar updates to ensure consistent protection. Leaving other environments with outdated dependencies could mean they remain vulnerable.