[Snyk] Security upgrade requests from 2.31.0 to 2.33.0#191
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-REQUESTS-15763443
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| Pillow | ||
| stellar-sdk>=4.0.0,<6.0.0 | ||
| rlp>=1.1.0 ; python_version<'3.7' | ||
| requests>=2.33.0 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
Requests 2.33.0 requires Python 3.10+, breaking older versions
High Severity
The pinned requests>=2.33.0 requires Python 3.10+, but this project supports Python 3.6+ (per setup.py's python_requires=">=3.6"). The tox configuration runs full environments (which install requirements-optional.txt) on py36 through py39. On those Python versions, pip will fail to find any requests version satisfying >=2.33.0, breaking dependency resolution and the CI test matrix for four out of five tested Python versions. A python_version environment marker is needed to restrict this constraint to Python 3.10+.
| Pillow | ||
| stellar-sdk>=4.0.0,<6.0.0 | ||
| rlp>=1.1.0 ; python_version<'3.7' | ||
| requests>=2.33.0 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
Security fix applied to wrong file, ineffective for users
Medium Severity
The requests security pin is placed in requirements-optional.txt, but requests>=2.4.0 is already a direct dependency in requirements.txt (which feeds install_requires in setup.py). The requirements-optional.txt file is only consumed by the full tox test variant — it has no effect on end-user package installations. Users installing via pip install trezor or pip install -r requirements.txt will still resolve to potentially vulnerable requests versions. The vulnerability fix is effectively a no-op.


Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
python/requirements-optional.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Insecure Temporary File
Note
Low Risk
Low risk dependency-only change: adds a
requests>=2.33.0pin in optional Python requirements to address a known vulnerability, with minimal impact beyond potential dependency resolution differences.Overview
Pins
requeststo>=2.33.0inpython/requirements-optional.txt(even though it is transitive) to remediate a Snyk-reported vulnerability and ensureweb3’srequestsdependency is explicitly installed.Written by Cursor Bugbot for commit e710e8b. This will update automatically on new commits. Configure here.