Skip to content

[Snyk] Fix for 9 vulnerabilities #117

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bozza-man wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 9 vulnerabilities #117

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions examples/langchain/langchainpy-localai-example/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
aiohttp==3.8.4
aiohttp==3.13.3
Copy link

@cursor cursor bot Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependency version conflict between aiohttp and its dependencies

High Severity

Upgrading aiohttp from 3.8.4 to 3.13.3 is a significant major version jump that requires compatible versions of its dependencies. The requirements.txt still pins yarl==1.9.2, frozenlist==1.3.3, multidict==6.0.4, and aiosignal==1.3.1, which are likely incompatible with aiohttp==3.13.3. This will cause pip to fail resolving dependencies or produce runtime errors. When aiohttp is upgraded, its peer dependencies also need to be upgraded to compatible versions.

🔬 Verification Test

Why verification test was not possible: This is a dependency version conflict issue that would manifest during pip install -r requirements.txt. The PR description's warning ("requests 2.29.0 requires urllib3, which is not installed") confirms pip resolver issues. Verifying this would require running pip install in an isolated environment, which would fail due to conflicting version constraints between aiohttp==3.13.3 and the pinned older versions of yarl, frozenlist, multidict, and aiosignal.

Additional Locations (2)

Fix in Cursor Fix in Web

aiosignal==1.3.1
async-timeout==4.0.2
attrs==23.1.0
Expand Down Expand Up @@ -28,5 +28,5 @@ tenacity==8.2.2
tqdm==4.65.0
typing-inspect==0.8.0
typing_extensions==4.5.0
urllib3==1.26.15
urllib3==2.6.3
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Align urllib3 pin with requests 2.29.0 constraints

The updated pin urllib3==2.6.3 conflicts with requests==2.29.0 in this same requirements file: requests 2.29.0 declares urllib3<1.27, so pip install -r requirements.txt will fail to resolve (or will force a downgrade) when setting up the example. This breaks the example environment for anyone installing from this file; consider upgrading requests to a version that supports urllib3>=2 or keeping urllib3 within the <1.27 range.

Useful? React with 👍 / 👎.

Copy link

@cursor cursor bot Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Incompatible requests and urllib3 version combination

High Severity

Upgrading urllib3 from 1.26.15 to 2.6.3 while keeping requests==2.29.0 creates a known compatibility issue (GitHub psf/requests mudler#6432). The PR description's warning confirms this: "requests 2.29.0 requires urllib3, which is not installed." requests version 2.30.0 or later properly supports urllib3 2.x. This combination will likely cause import errors or runtime failures when making HTTP requests.

🔬 Verification Test

Why verification test was not possible: This is a known dependency compatibility issue documented in GitHub issue psf/requests#6432 ("The latest version of requests (2.29.0) does not support urllib3 2.0.0"). The PR description's warning message explicitly confirms the conflict. Testing would require installing both packages together and attempting to make HTTP requests, which would fail at import time or when making requests.

Additional Locations (1)

Fix in Cursor Fix in Web

yarl==1.9.2