Skip to content

fix: resolve open dependabot security alerts#110

Open
jonathannorris wants to merge 4 commits intomainfrom
fix/dependabot-security-alerts
Open

fix: resolve open dependabot security alerts#110
jonathannorris wants to merge 4 commits intomainfrom
fix/dependabot-security-alerts

Conversation

@jonathannorris
Copy link
Copy Markdown
Member

@jonathannorris jonathannorris commented Apr 22, 2026

Summary

Resolved 9 open Dependabot security alerts by bumping vulnerable dependencies.

Dependabot Alerts Resolved

Alert Package Severity Fix
#7 requests medium Bumped minimum to 2.33.0 in requirements.txt
#8 requests medium Bumped minimum to 2.33.0 in setup.py (via requirements.txt)
#6 requests medium Bumped minimum to 2.33.0 (transitive via parent package)
#14 pytest medium Bumped minimum to 9.0.3 in requirements.test.txt
#9 Django high Bumped minimum to 6.0.4 in example/django-app
#10 Django medium Bumped minimum to 6.0.4 in example/django-app
#11 Django high Bumped minimum to 6.0.4 in example/django-app
#12 Django low Bumped minimum to 6.0.4 in example/django-app
#13 Django low Bumped minimum to 6.0.4 in example/django-app

@jonathannorris
fix: bump black and django to resolve dependabot security alerts
3effda5
@jonathannorris
fix: split lint deps into requirements.lint.txt for Python 3.10+ compat
d2c7acf 
black>=26.3.1 requires Python 3.10+, but unit tests run on 3.9.
Move black, mypy, and ruff into a separate requirements.lint.txt
used only by the lint workflow (Python 3.12).
@jonathannorris
fix: resolve remaining dependabot security alerts
ca0d0d9 
- requests >= 2.33.0 to address CVE (medium, alerts #7, #8)
- pytest >= 9.0.3 to address vulnerability (medium, alert #14)
- django >= 6.0.4 in example app to address multiple CVEs (alerts #9-#13)
@jonathannorris jonathannorris requested a review from a team as a code owner April 22, 2026 19:47
Copilot AI review requested due to automatic review settings April 22, 2026 19:47
Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Resolves multiple Dependabot security alerts by bumping minimum versions of vulnerable Python dependencies and aligning CI to a dedicated lint dependency set.

Changes:

  • Bumped requests minimum version in requirements.txt.
  • Bumped test dependency pytest minimum version and reorganized dev dependencies by introducing requirements.lint.txt.
  • Bumped example Django app minimum Django version and updated the lint workflow to install lint-only requirements.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
requirements.txt Raises minimum requests version to address security alerts.
requirements.test.txt Updates pytest minimum version and trims lint-only tooling from test deps.
requirements.lint.txt New lint requirements file (black/mypy/ruff + type stubs).
example/django-app/requirements.txt Raises minimum Django version for the example app.
.github/workflows/lint.yml Switches lint CI to install from requirements.lint.txt.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread requirements.lint.txt
Comment on lines +7 to +8
types-requests~=2.32.0
types-urllib3~=1.26.25.14
Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

types-requests and types-urllib3 are pinned to stub versions that don’t match the newly bumped runtime dependencies (requests >= 2.33.0 and urllib3 >= 1.15.1, which permits urllib3 2.x). This can cause mypy/IDE types to diverge from the actual installed APIs. Consider bumping the stub packages to versions compatible with the allowed runtime ranges (or tightening the runtime ranges to match the available stubs).

Suggested change
types-requests~=2.32.0
types-urllib3~=1.26.25.14
types-requests
types-urllib3

Copilot uses AI. Check for mistakes.
Comment thread requirements.test.txt
Comment on lines 6 to 7
types-requests~=2.32.0
types-urllib3~=1.26.25.14
Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

types-requests / types-urllib3 are still pinned to stub versions that don’t align with the bumped runtime dependencies from requirements.txt (notably requests >= 2.33.0 and an unbounded urllib3 major version). This can lead to type checking against the wrong API surface. Update the stub versions (or constrain the runtime deps) so they stay in sync.

Suggested change
types-requests~=2.32.0
types-urllib3~=1.26.25.14
types-requests~=2.33.0
types-urllib3~=2.0

Copilot uses AI. Check for mistakes.
Comment thread example/django-app/requirements.txt
@@ -1,2 +1,2 @@
django >= 4.2
django >= 6.0.4
Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This bumps the example app dependency from Django 4.2+ to django >= 6.0.4, but the example’s README still states it requires “Django 4.2+”. Please update the example documentation to reflect the new minimum Django version so users don’t install an incompatible version.

Copilot uses AI. Check for mistakes.
@jonathannorris
fix: drop Python 3.9 from CI matrix
a84133c 
Python 3.9 reached EOL in October 2025. requests>=2.33.0 requires
Python>=3.10, so we replace 3.9 with 3.10 in the test matrix.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonathannorris