Open
Conversation
The default AWS S3 URLs only support IPv4, whereas the dual-stack URLs support both IPv4 and IPv6: https://docs.aws.amazon.com/AmazonS3/latest/API/ipv6-access.html https://docs.aws.amazon.com/AmazonS3/latest/API/dual-stack-endpoints.html By switching to the dual-stack URLs, it means systems that support IPv6 will now use it instead of IPv4, which is helpful in IPv6 environments where IPv4 traffic has to fall back to being routed via NAT gateways (which has performance and ingress cost implications). See also: https://salesforce-internal.slack.com/archives/C01R6FJ738U/p1770827176094169 GUS-W-21335961.
In NLTK v3.9.3, a new security check was added for the Zip Slip issue: nltk/nltk#3468 This change unfortunately contained a bug that causes false positive security errors when packages are downloaded to a symlinked path, since the new check doesn't use `abspath` vs `realpath` consistently: nltk/nltk#3509 This causes errors like: ``` -----> Downloading NLTK packages: punkt punkt_tab <frozen runpy>:128: RuntimeWarning: 'nltk.downloader' found in sys.modules after import of package 'nltk', but prior to execution of 'nltk.downloader'; this may result in unpredictable behaviour [nltk_data] Downloading package punkt to [nltk_data] /app/.heroku/python/nltk_data... [nltk_data] Unzipping tokenizers/punkt.zip. [nltk_data] Zip Slip blocked: punkt/ Error installing package. Retry? [n/y/e] Traceback (most recent call last): File "<frozen runpy>", line 198, in _run_module_as_main File "<frozen runpy>", line 88, in _run_code File "/app/.heroku/python/lib/python3.12/site-packages/nltk/downloader.py", line 2631, in <module> rv = downloader.download( ^^^^^^^^^^^^^^^^^^^^ File "/app/.heroku/python/lib/python3.12/site-packages/nltk/downloader.py", line 773, in download choice = input().strip() ^^^^^^^ EOFError: EOF when reading a line ``` See also: https://github.com/heroku/heroku-buildpack-python/actions/runs/22545824206/job/65308000022#step:5:539 Until upstream fix this regression, we can work around it by always passing the raw path for Python home instead of the symlinked path. (We generally prefer using the symlinked path where possible, to ensure the paths used/displayed match between build time and run time, given the build directory is different from the run directory.) Longer term I will be deprecating and that removing support for `nltk.txt` since it's a Heroku-proprietary invention that's unnecessary given most users instead either commit the NLTK corpora or use the post_compile hook feature instead. Fixes heroku#2037. GUS-W-21410908.
…roku#2039) Bumps the ruby-dependencies group with 1 update: [rubocop](https://github.com/rubocop/rubocop). Updates `rubocop` from 1.84.0 to 1.85.0 - [Release notes](https://github.com/rubocop/rubocop/releases) - [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md) - [Commits](rubocop/rubocop@v1.84.0...v1.85.0) --- updated-dependencies: - dependency-name: rubocop dependency-version: 1.85.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: ruby-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…2040) Bumps sigstore/cosign/cosign from v3.0.4 to v3.0.5. --- updated-dependencies: - dependency-name: sigstore/cosign/cosign dependency-version: v3.0.5 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: heroku-linguist[bot] <136119646+heroku-linguist[bot]@users.noreply.github.com>
* Bump pip from 25.3 to 26.0.1 Bumps [pip](https://github.com/pypa/pip) from 25.3 to 26.0.1. - [Changelog](https://github.com/pypa/pip/blob/main/NEWS.rst) - [Commits](pypa/pip@25.3...26.0.1) --- updated-dependencies: - dependency-name: pip dependency-version: 26.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * Add changelog entry * Update test assertion --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Ed Morley <501702+edmorley@users.noreply.github.com>
For the repo's development/testing tooling. Plus refresh the lockfile. GUS-W-21429033.
Since in newer versions of uv the default link mode has changed from `hardlink` to `clone` (aka reflink), and reflinks are slower in some environments (such as Heroku's build system). See: astral-sh/uv#18259 Even if the uv default ends up being changed back to hard links again, it seems worth us explicitly requesting that link mode, given that we know it's the best mode for our use-case. GUS-W-21429394.
* Bump uv from 0.10.1 to 0.10.7 Bumps [uv](https://github.com/astral-sh/uv) from 0.10.1 to 0.10.7. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](astral-sh/uv@0.10.1...0.10.7) --- updated-dependencies: - dependency-name: uv dependency-version: 0.10.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Add changelog entry --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Ed Morley <501702+edmorley@users.noreply.github.com>
Co-authored-by: heroku-linguist[bot] <136119646+heroku-linguist[bot]@users.noreply.github.com>
Release announcement: https://blog.python.org/2026/03/python-31213-31115-31020/ Changelogs: https://docs.python.org/release/3.12.13/whatsnew/changelog.html#python-3-12-13-final https://docs.python.org/release/3.11.15/whatsnew/changelog.html#python-3-11-15-final https://docs.python.org/release/3.10.20/whatsnew/changelog.html#python-3-10-20-final Binary builds: https://github.com/heroku/heroku-buildpack-python/actions/runs/22639900939 https://github.com/heroku/heroku-buildpack-python/actions/runs/22639906742 https://github.com/heroku/heroku-buildpack-python/actions/runs/22639923074 GUS-W-21433843.
Co-authored-by: heroku-linguist[bot] <136119646+heroku-linguist[bot]@users.noreply.github.com>
![semgrep-code-scalingo[bot]](https://avatars.githubusercontent.com/u/4868969?s=60&v=4){kind=small}
| @@ -1 +1 @@ | |||
| uv==0.10.1 | |||
| uv==0.10.7 | |||
There was a problem hiding this comment.
Legal Risk
uv 0.10.7 was released under the non-standard license, a license that
is currently prohibited by your organization. Merging is blocked until this is resolved.
Recommendation
Reach out to your security team or Semgrep admin to address this issue. In special cases, exceptions may be made for dependencies with violating licenses, however, the general recommendation is to avoid using a dependency under such a license.
There was a problem hiding this comment.
Custom exception added
You can proceed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related to #182