[Snyk] Security upgrade tornado from 6.2 to 6.5.3#464
[Snyk] Security upgrade tornado from 6.2 to 6.5.3#464robertatakenaka wants to merge 1 commit intomainfrom
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-TORNADO-14400977 - https://snyk.io/vuln/SNYK-PYTHON-TORNADO-14400978 - https://snyk.io/vuln/SNYK-PYTHON-TORNADO-14400979
There was a problem hiding this comment.
Pull request overview
This PR upgrades the tornado dependency from version 6.2 to 6.5.3 to address three security vulnerabilities identified by Snyk. Tornado is a transitive dependency required by flower (version 1.2.0), which is used for Celery monitoring in this Django application. The upgrade uses a minimum version constraint (>=6.5.3) to ensure the security fixes are present while allowing for future patch updates.
Key Changes:
- Adds explicit tornado version constraint (>=6.5.3) to requirements/base.txt as a pinned security fix
- Addresses three Snyk-identified vulnerabilities in tornado 6.2
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # PyCountry | ||
| # ------------------------------------------------------------------------------ | ||
| pycountry==24.6.1 # https://pypi.org/project/pycountry/ No newline at end of file | ||
| pycountry==24.6.1 # https://pypi.org/project/pycountry/ |
There was a problem hiding this comment.
This dependency addition should follow the existing organizational pattern in this file. All other dependencies are grouped under section headers with a separator line. Consider adding a section header for Tornado, such as:
Tornado
------------------------------------------------------------------------------
This would maintain consistency with the existing structure where dependencies are organized by purpose or package name.
| pycountry==24.6.1 # https://pypi.org/project/pycountry/ | |
| pycountry==24.6.1 # https://pypi.org/project/pycountry/ | |
| # Tornado | |
| # ------------------------------------------------------------------------------ |
2 participants
Snyk has created this PR to fix 3 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
requirements/base.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.