Skip to content

[ROB-2885] CVE patches #493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
arikalon1 merged 5 commits into from
Dec 31, 2025
Merged

[ROB-2885] CVE patches #493

arikalon1 merged 5 commits into from
Dec 31, 2025

Conversation

@Avi-Robusta
Copy link
Contributor

@Avi-Robusta Avi-Robusta commented Dec 31, 2025
edited
Loading

CVE-2025-66418
CVE-2025-66471
the git diff for requirements is off
updated prometrix, boto3 botocore and removed importlib-resources since its no longer needed by newer versions of boto3/botocore/prometrix

@coderabbitai
Copy link

coderabbitai bot commented Dec 31, 2025
edited
Loading

Walkthrough

Minimum Python version requirement raised from 3.9 to 3.10 across CI and project metadata; multiple dependency pins updated (notably prometrix and urllib3) and requirements.txt synchronized to the new Python constraint.

Changes

Cohort / File(s) Summary
CI workflow & project metadata
\.github/workflows/pytest-on-push.yml, pyproject.toml		 Python version constraint changed from 3.9 → 3.10 in the GitHub Actions workflow and project dependencies.
Dependency bumps (pyproject)
pyproject.toml		 prometrix 0.2.5 → 0.2.9; urllib3 ^1.26.20 → ^2.6.2; Python constraint updated to ">=3.10,<=3.12.9".
Pinned requirements sync
requirements.txt		 All python_version selectors moved from >=3.9 → >=3.10; multiple package pins updated (e.g., boto3, botocore, s3transfer, prometrix, urllib3, pytest-asyncio, etc.).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

  • RoiGlinik

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title '[ROB-2885] CVE patches' directly reflects the main changeset, which updates dependencies to patch CVEs (specifically CVE-2025-66418 and CVE-2025-66471) by upgrading Python version and multiple packages.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check ✅ Passed The pull request description addresses CVE vulnerabilities and documents dependency updates (prometrix, boto3, botocore) that align with the changeset.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch cve_patches

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Dec 31, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
pyproject.toml (1)

12-12: Update Black target-version to match new Python requirement.

The Black target-version is still set to 'py39', but the minimum Python version has been bumped to 3.10. Update this for consistency.

🔎 Proposed fix 
-target-version = ['py39']
+target-version = ['py310']
📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c149d0b and c6129c5.

⛔ Files ignored due to path filters (1)
  • poetry.lock is excluded by !**/*.lock
📒 Files selected for processing (3)
  • .github/workflows/pytest-on-push.yml
  • pyproject.toml
  • requirements.txt
🧰 Additional context used
🪛 OSV Scanner (2.3.1)
requirements.txt

[HIGH] 6-6: certifi 2024.2.2: undefined

(PYSEC-2024-230)

[HIGH] 6-6: certifi 2024.2.2: Certifi removes GLOBALTRUST root certificate

(GHSA-248v-346w-9cwc)

🔇 Additional comments (4)
.github/workflows/pytest-on-push.yml (1)

16-16: LGTM! Consistent with project-wide Python version bump.

The workflow now tests on Python 3.10, aligning with the minimum version requirement updated in pyproject.toml and requirements.txt.

requirements.txt (1)

1-55: Python version constraint updated consistently.

All dependencies now require Python >= 3.10, aligning with the project-wide minimum version bump. This is a breaking change for users on Python 3.9.

pyproject.toml (2)

26-26: Breaking change: Python 3.9 support dropped.

This is a breaking change that will prevent users on Python 3.9 from upgrading to this version. Ensure:

  1. This is intentional and necessary for the CVE patches
  2. Release notes clearly communicate this breaking change
  3. Semantic versioning reflects this (major version bump)

33-33: Prometrix 0.2.9 explicitly requires Python ≥3.10 and urllib3 ≥2.6.0.

This version locks in Python 3.10+ support and urllib3 2.x compatibility. Ensure testing validates this dependency chain before merge.

@arikalon1 arikalon1 merged commit 4c03971 into main Dec 31, 2025
3 checks passed
@arikalon1 arikalon1 deleted the cve_patches branch December 31, 2025 09:44
@coderabbitai coderabbitai bot mentioned this pull request Jan 1, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@arikalon1 arikalon1 arikalon1 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Avi-Robusta @arikalon1