Skip to content

[ROB-2885] CVE patches#493

Merged
arikalon1 merged 5 commits into
mainfrom
cve_patches
Dec 31, 2025
Merged

[ROB-2885] CVE patches#493
arikalon1 merged 5 commits into
mainfrom
cve_patches

Conversation

@Avi-Robusta

@Avi-Robusta Avi-Robusta commented Dec 31, 2025

Copy link
Copy Markdown
Contributor

CVE-2025-66418
CVE-2025-66471
the git diff for requirements is off
updated prometrix, boto3 botocore and removed importlib-resources since its no longer needed by newer versions of boto3/botocore/prometrix

@coderabbitai

coderabbitai Bot commented Dec 31, 2025

Copy link
Copy Markdown

Walkthrough

Minimum Python version requirement raised from 3.9 to 3.10 across CI and project metadata; multiple dependency pins updated (notably prometrix and urllib3) and requirements.txt synchronized to the new Python constraint.

Changes

Cohort / File(s) Summary
CI workflow & project metadata
\.github/workflows/pytest-on-push.yml, pyproject.toml
Python version constraint changed from 3.9 → 3.10 in the GitHub Actions workflow and project dependencies.
Dependency bumps (pyproject)
pyproject.toml
prometrix 0.2.5 → 0.2.9; urllib3 ^1.26.20 → ^2.6.2; Python constraint updated to ">=3.10,<=3.12.9".
Pinned requirements sync
requirements.txt
All python_version selectors moved from >=3.9 → >=3.10; multiple package pins updated (e.g., boto3, botocore, s3transfer, prometrix, urllib3, pytest-asyncio, etc.).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

  • RoiGlinik

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title '[ROB-2885] CVE patches' directly reflects the main changeset, which updates dependencies to patch CVEs (specifically CVE-2025-66418 and CVE-2025-66471) by upgrading Python version and multiple packages.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check ✅ Passed The pull request description addresses CVE vulnerabilities and documents dependency updates (prometrix, boto3, botocore) that align with the changeset.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch cve_patches

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
pyproject.toml (1)

12-12: Update Black target-version to match new Python requirement.

The Black target-version is still set to 'py39', but the minimum Python version has been bumped to 3.10. Update this for consistency.

🔎 Proposed fix
-target-version = ['py39']
+target-version = ['py310']
📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c149d0b and c6129c5.

⛔ Files ignored due to path filters (1)
  • poetry.lock is excluded by !**/*.lock
📒 Files selected for processing (3)
  • .github/workflows/pytest-on-push.yml
  • pyproject.toml
  • requirements.txt
🧰 Additional context used
🪛 OSV Scanner (2.3.1)
requirements.txt

[HIGH] 6-6: certifi 2024.2.2: undefined

(PYSEC-2024-230)


[HIGH] 6-6: certifi 2024.2.2: Certifi removes GLOBALTRUST root certificate

(GHSA-248v-346w-9cwc)

🔇 Additional comments (4)
.github/workflows/pytest-on-push.yml (1)

16-16: LGTM! Consistent with project-wide Python version bump.

The workflow now tests on Python 3.10, aligning with the minimum version requirement updated in pyproject.toml and requirements.txt.

requirements.txt (1)

1-55: Python version constraint updated consistently.

All dependencies now require Python >= 3.10, aligning with the project-wide minimum version bump. This is a breaking change for users on Python 3.9.

pyproject.toml (2)

26-26: Breaking change: Python 3.9 support dropped.

This is a breaking change that will prevent users on Python 3.9 from upgrading to this version. Ensure:

  1. This is intentional and necessary for the CVE patches
  2. Release notes clearly communicate this breaking change
  3. Semantic versioning reflects this (major version bump)

33-33: Prometrix 0.2.9 explicitly requires Python ≥3.10 and urllib3 ≥2.6.0.

This version locks in Python 3.10+ support and urllib3 2.x compatibility. Ensure testing validates this dependency chain before merge.

Comment thread pyproject.toml
Comment thread requirements.txt
Comment thread requirements.txt
@arikalon1
arikalon1 merged commit 4c03971 into main Dec 31, 2025
3 checks passed
@arikalon1
arikalon1 deleted the cve_patches branch December 31, 2025 09:44
@coderabbitai coderabbitai Bot mentioned this pull request Apr 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants