Skip to content

[Snyk] Security upgrade lxml from 5.4.0 to 6.1.0#622

Open
robertatakenaka wants to merge 2 commits intomainfrom
snyk-fix-c8721acbe6cfb325c20dc4d341988f27
Open

[Snyk] Security upgrade lxml from 5.4.0 to 6.1.0#622
robertatakenaka wants to merge 2 commits intomainfrom
snyk-fix-c8721acbe6cfb325c20dc4d341988f27

Conversation

@robertatakenaka
Copy link
Copy Markdown
Member

@robertatakenaka robertatakenaka commented Apr 23, 2026

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

  • requirements/base.txt
⚠️ Warning 
Sickle 0.7.0 requires lxml, which is not installed.
citeproc-py-styles 0.1.5 requires lxml, which is not installed.
celery 5.3.0 requires kombu, which is not installed.

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 XML External Entity (XXE) Injection

@snyk-bot
fix: requirements/base.txt to reduce vulnerabilities
c567ecf 
The following vulnerabilities are fixed by pinning transitive dependencies:
- https://snyk.io/vuln/SNYK-PYTHON-LXML-16119103
Copilot AI review requested due to automatic review settings April 23, 2026 18:30
@snyk-bot
fix: requirements/base.txt to reduce vulnerabilities
f3c32c0 
The following vulnerabilities are fixed by pinning transitive dependencies:
- https://snyk.io/vuln/SNYK-PYTHON-LXML-16119103
Copilot AI reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a Snyk-reported vulnerability by explicitly adding a safe lxml version constraint to the project’s Python requirements.

Changes:

  • Add an explicit lxml dependency constraint to remediate SNYK-PYTHON-LXML-16119103.
  • Ensure citeproc-py-styles remains included in the base requirements list.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread requirements/base.txt
citeproc-py==0.9.0 # https://pypi.org/project/citeproc-py/
citeproc-py-styles==0.1.5 # https://pypi.org/project/citeproc-py-styles/ (bibtex.csl, etc.) No newline at end of file
citeproc-py-styles==0.1.5 # https://pypi.org/project/citeproc-py-styles/ (bibtex.csl, etc.)
lxml>=6.1.0 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file
Copy link

Copilot AI Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

requirements/base.txt consistently pins dependencies with == (likely for reproducible installs), but this adds lxml>=6.1.0, which can pull in unexpected future major/minor releases. Consider pinning to lxml==6.1.0 (or at least bounding it, e.g. <7) to match the rest of this file’s versioning approach.

Suggested change
lxml>=6.1.0 # not directly required, pinned by Snyk to avoid a vulnerability
lxml==6.1.0 # not directly required, pinned by Snyk to avoid a vulnerability

Copilot uses AI. Check for mistakes.
Comment thread requirements/base.txt
citeproc-py==0.9.0 # https://pypi.org/project/citeproc-py/
citeproc-py-styles==0.1.5 # https://pypi.org/project/citeproc-py-styles/ (bibtex.csl, etc.) No newline at end of file
citeproc-py-styles==0.1.5 # https://pypi.org/project/citeproc-py-styles/ (bibtex.csl, etc.)
lxml>=6.1.0 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file
Copy link

Copilot AI Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The inline note says lxml is "not directly required", but the codebase imports lxml directly (e.g., harvest/parse_info_oai_pmh.py and harvest/tests.py). Updating the comment to reflect it’s a direct dependency (and/or clarifying why it’s listed explicitly) will avoid confusion during dependency audits.

Suggested change
lxml>=6.1.0 # not directly required, pinned by Snyk to avoid a vulnerability
lxml>=6.1.0 # direct dependency; explicitly constrained to avoid a vulnerability

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@robertatakenaka @snyk-bot