[Snyk] Security upgrade urllib3 from 2.0.7 to 2.5.0

[paaschdigital]

Snyk has created this PR to fix 2 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

• requires-install.txt

⚠️ Warning

equests 2.31.0 requires urllib3, which is not installed.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Open Redirect

[gemini-code-assist]

Summary of Changes

Hello @paaschdigital, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request is an automated security update initiated by Snyk to mitigate known vulnerabilities within the project's Python dependencies. It focuses on ensuring a critical networking library is at a secure version, thereby enhancing the overall security posture of the application.

Highlights

• Security Vulnerability Fix: This pull request addresses two identified security vulnerabilities by upgrading the urllib3 dependency to version 2.5.0.
• Dependency Pinning: The urllib3 package, which was previously an indirect dependency (likely via requests), is now explicitly pinned in requires-install.txt to ensure the vulnerable versions are not used.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This Snyk PR proposes upgrading urllib3 from a reported version 2.0.7 to 2.5.0 to address security vulnerabilities. The primary concern identified is a potential dependency incompatibility with the requests library, stemming from contradictory information within the Snyk PR description itself.

Snyk's metadata suggests the project was using urllib3 2.0.7, which would imply requests is already version 2.32.0 or newer and thus compatible with the urllib3 2.x series. However, a warning in the PR description mentions requests 2.31.0, which is not compatible with urllib3 2.x (it requires urllib3 <1.27).

This discrepancy needs careful verification by the author. If an older requests version is in use, this urllib3 upgrade will likely break the application. The recommended actions involve verifying the actual requests version and then either upgrading requests or adjusting the urllib3 pin to a compatible 1.x version. Explicitly pinning requests is also advised for future stability. Please see the detailed comment on requires-install.txt.

[gemini-code-assist]

Potential Dependency Incompatibility - Verification Needed

Snyk's metadata for this PR (visible in the PR description's raw markdown) states this is an upgrade from urllib3 2.0.7 to 2.5.0. If urllib3 2.0.7 was indeed the version in use, your requests dependency (currently unpinned in this file) should have resolved to a version compatible with urllib3 2.x (i.e., requests >= 2.32.0).

However, the Snyk PR description also prominently displays a warning: requests 2.31.0 requires urllib3, which is not installed. Version 2.31.0 of requests is not compatible with urllib3 2.x, as it specifically requires urllib3 < 1.27. This information is contradictory and presents a risk.

Action Required:

1. Verify your project's currently resolved requests and urllib3 versions in your development and production environments.
2. Scenario A: If requests is < 2.32.0 (e.g., 2.31.0 as per the Snyk warning):
   This pin to urllib3>=2.5.0 will cause a dependency conflict and likely break your application.
   • Solution 1 (Recommended): Upgrade requests to requests>=2.32.0 and explicitly pin it in requires-install.txt. This urllib3 pin would then be compatible.
   • Solution 2: If requests cannot be upgraded, this urllib3 pin to 2.5.0 is incorrect. You must use a urllib3 1.x version that fixes the Snyk vulnerabilities and is compatible with your requests version (e.g., urllib3>=1.26.18,<1.27). You would need to verify which 1.x version is appropriate and modify this line accordingly. See the code suggestion for an example of what this line might look like in that case.
3. Scenario B: If requests is already >= 2.32.0 (and urllib3 2.0.7 was indeed in use):
   This urllib3>=2.5.0 pin is likely compatible. For robustness and clarity, consider explicitly pinning your requests version (e.g., requests>=2.32.0) in requires-install.txt to ensure continued compatibility and prevent accidental resolution to an older, incompatible requests version in the future.

Please investigate this potential discrepancy thoroughly before merging to prevent runtime failures.

urllib3>=1.26.18,<1.27 # Example: IF requests < 2.32.0 is used AND this 1.x version fixes Snyk issues AND is compatible. VERIFY!