[Snyk] Fix for 26 vulnerabilities#510
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-10074036 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-10302884 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-12485156 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-13836728 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-13837025 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-14157807 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-14157810 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7435780 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7436273 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7436514 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7436646 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7642790 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7642791 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7642813 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7642814 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7886958 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7886959 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-8456315 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-8456316 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-9296408 - https://snyk.io/vuln/SNYK-PYTHON-GUNICORN-6615672 - https://snyk.io/vuln/SNYK-PYTHON-GUNICORN-9510910 - https://snyk.io/vuln/SNYK-PYTHON-SENTRYSDK-7541801 - https://snyk.io/vuln/SNYK-PYTHON-SQLPARSE-14157217 - https://snyk.io/vuln/SNYK-PYTHON-SQLPARSE-6615674 - https://snyk.io/vuln/SNYK-PYTHON-ZIPP-7430899
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-10074036 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-10302884 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-12485156 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-13836728 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-13837025 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-14157807 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-14157810 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7435780 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7436273 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7436514 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7436646 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7642790 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7642791 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7642813 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7642814 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7886958 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7886959 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-8456315 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-8456316 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-9296408 - https://snyk.io/vuln/SNYK-PYTHON-GUNICORN-6615672 - https://snyk.io/vuln/SNYK-PYTHON-GUNICORN-9510910 - https://snyk.io/vuln/SNYK-PYTHON-SENTRYSDK-7541801 - https://snyk.io/vuln/SNYK-PYTHON-SQLPARSE-14157217 - https://snyk.io/vuln/SNYK-PYTHON-SQLPARSE-6615674 - https://snyk.io/vuln/SNYK-PYTHON-ZIPP-7430899
There was a problem hiding this comment.
Pull request overview
Updates production Python dependencies to address Snyk-reported vulnerabilities.
Changes:
- Bumps
gunicornto23.0.0andsentry-sdkto2.8.0. - Adds new direct vulnerability-driven constraints for
django,sqlparse, andzippinrequirements/production.txt.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| gunicorn==23.0.0 # https://github.com/benoitc/gunicorn | ||
| psycopg2==2.9.9 # https://github.com/psycopg/psycopg2 | ||
| sentry-sdk[django]==2.5.1 # https://github.com/getsentry/sentry-python | ||
| sentry-sdk==2.8.0 # https://github.com/getsentry/sentry-python |
There was a problem hiding this comment.
Minor formatting: other lines in this file use two spaces before inline comments (e.g., gevent==... # ...), but sentry-sdk==2.8.0 # ... uses a single space. Consider normalizing spacing for consistency.
| # ------------------------------------------------------------------------------ | ||
| elastic-apm==6.15.1 No newline at end of file | ||
| elastic-apm==6.15.1 | ||
| django>=4.2.27 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
production.txt already includes -r base.txt, and base.txt pins django==4.1.6 (requirements/base.txt:15). Adding django>=4.2.27 here creates an unsatisfiable constraint (==4.1.6 vs >=4.2.27) and will cause pip install -r requirements/production.txt to fail. Align the Django constraint by updating the pin in base.txt to the intended secure version (or remove the duplicate constraint here if base.txt is the source of truth).
| django>=4.2.27 # not directly required, pinned by Snyk to avoid a vulnerability |
| django>=4.2.27 # not directly required, pinned by Snyk to avoid a vulnerability | ||
| sqlparse>=0.5.4 # not directly required, pinned by Snyk to avoid a vulnerability | ||
| zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file |
There was a problem hiding this comment.
These new Snyk pins use >= in a file that otherwise pins production deps with ==, which makes production installs non-deterministic and could pull in future major versions (e.g., Django 5.x) without review. Prefer an exact pin (or at least an upper bound like <5) consistent with the rest of this file, ideally managed in the same place as other pins (e.g., base.txt).
| django>=4.2.27 # not directly required, pinned by Snyk to avoid a vulnerability | |
| sqlparse>=0.5.4 # not directly required, pinned by Snyk to avoid a vulnerability | |
| zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability | |
| django==4.2.27 # not directly required, pinned by Snyk to avoid a vulnerability | |
| sqlparse==0.5.4 # not directly required, pinned by Snyk to avoid a vulnerability | |
| zipp==3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability |
| elastic-apm==6.15.1 | ||
| django>=4.2.27 # not directly required, pinned by Snyk to avoid a vulnerability | ||
| sqlparse>=0.5.4 # not directly required, pinned by Snyk to avoid a vulnerability | ||
| zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file |
There was a problem hiding this comment.
The header says to avoid production dependencies that aren't in development (-r base.txt is intended to keep envs aligned). Adding direct vulnerability pins only in production.txt means local/dev installs from requirements/local.txt won't match production. Consider moving these vulnerability-driven constraints into base.txt so all environments exercise the same dependency set.
| elastic-apm==6.15.1 | |
| django>=4.2.27 # not directly required, pinned by Snyk to avoid a vulnerability | |
| sqlparse>=0.5.4 # not directly required, pinned by Snyk to avoid a vulnerability | |
| zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability | |
| elastic-apm==6.15.1 |
Snyk has created this PR to fix 26 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
requirements/production.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling
🦉 Improper Output Neutralization for Logs
🦉 SQL Injection
🦉 More lessons are available in Snyk Learn