codeant-ai-for-open-source[bot] commented on code in PR #37552:
URL: https://github.com/apache/superset/pull/37552#discussion_r2742116523
##########
requirements/base.in:
##########
@@ -16,8 +16,14 @@
# specific language governing permissions and limitations
# under the License.
#
-urllib3>=2.6.0,<3.0.0
-werkzeug>=3.0.1
+# Security: CVE-2026-21441 - decompression bomb bypass on redirects
+urllib3>=2.6.3,<3.0.0
+# Security: GHSA-87hc-h4r5-73f7, multipart boundary fix
+werkzeug>=3.1.5
Review Comment:
**Suggestion:** Missing upper bound for `werkzeug`: allowing unconstrained
major upgrades (e.g., 4.x) can introduce breaking API changes; pin a safe upper
bound to prevent accidental incompatible upgrades. [possible bug]
<details>
<summary><b>Severity Level:</b> Major ⚠️</summary>
```mdx
- ❌ CI dependency installation may pick breaking werkzeug version.
- ⚠️ Unit tests may fail after unexpected Werkzeug upgrade.
- ⚠️ Runtime server startup could encounter API incompatibilities.
```
</details>
```suggestion
werkzeug>=3.1.5,<4.0.0
```
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. Open requirements file at `requirements/base.in` and inspect lines 21-22
(file content
shows `werkzeug>=3.1.5`) — see `requirements/base.in:21-22`.
2. Create a fresh environment and run dependency resolution/installation
using this
requirements file (e.g., generate constraints or install from it): run
`python -m venv
.venv && .venv/bin/pip install -r requirements/base.in` (dependency resolver
will consider
`werkzeug>=3.1.5` without an upper bound).
3. If the resolver selects a future major release (e.g., werkzeug 4.x),
install completes
with that major version present in the environment.
4. Run the project's test suite or start the application (typical next steps
after
install). If code relies on the current Werkzeug 3.x APIs, tests or startup
will fail with
import/attribute errors or behavioral regressions (this is the concrete
failure mode
expected after a breaking major upgrade).
```
</details>
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** requirements/base.in
**Line:** 22:22
**Comment:**
*Possible Bug: Missing upper bound for `werkzeug`: allowing
unconstrained major upgrades (e.g., 4.x) can introduce breaking API changes;
pin a safe upper bound to prevent accidental incompatible upgrades.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
```
</details>
##########
requirements/base.in:
##########
@@ -16,8 +16,14 @@
# specific language governing permissions and limitations
# under the License.
#
-urllib3>=2.6.0,<3.0.0
-werkzeug>=3.0.1
+# Security: CVE-2026-21441 - decompression bomb bypass on redirects
+urllib3>=2.6.3,<3.0.0
+# Security: GHSA-87hc-h4r5-73f7, multipart boundary fix
+werkzeug>=3.1.5
+# Security: CVE-2025-68146 - TOCTOU symlink vulnerability
+filelock>=3.20.3
+# Security: decompression bomb fix (required by aiohttp 3.13.3)
+brotli>=1.2.0
Review Comment:
**Suggestion:** Missing upper bound for `brotli`: allowing unbounded major
releases risks incompatible changes; pin an upper bound (e.g., <2.0.0) to avoid
accidental breaking upgrades. [possible bug]
<details>
<summary><b>Severity Level:</b> Major ⚠️</summary>
```mdx
- ❌ CI dependency installation may pick incompatible brotli.
- ⚠️ HTTP compression/decompression operations may fail.
- ⚠️ Libraries requiring brotli (aiohttp) may exhibit regressions.
```
</details>
```suggestion
brotli>=1.2.0,<2.0.0
```
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. Inspect `requirements/base.in` at lines 25-26 where `brotli>=1.2.0` is
added
(`requirements/base.in:25-26`).
2. In a clean environment, resolve/install dependencies using that file
(`python -m venv
.venv && .venv/bin/pip install -r requirements/base.in`) allowing the
resolver to pick the
latest brotli major.
3. If the resolver selects a future major (2.x) with breaking API changes,
execute code
paths that depend on brotli compression/decompression (e.g., HTTP client
libraries or
middleware that call into brotli). These calls will surface concrete
exceptions or
behavioral changes when the API changes.
4. Observe failures in CI or runtime where brotli is used (decompression
errors, missing
functions, or changed behavior), causing test or runtime regressions.
```
</details>
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** requirements/base.in
**Line:** 26:26
**Comment:**
*Possible Bug: Missing upper bound for `brotli`: allowing unbounded
major releases risks incompatible changes; pin an upper bound (e.g., <2.0.0) to
avoid accidental breaking upgrades.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
```
</details>
##########
requirements/base.in:
##########
@@ -16,8 +16,14 @@
# specific language governing permissions and limitations
# under the License.
#
-urllib3>=2.6.0,<3.0.0
-werkzeug>=3.0.1
+# Security: CVE-2026-21441 - decompression bomb bypass on redirects
+urllib3>=2.6.3,<3.0.0
+# Security: GHSA-87hc-h4r5-73f7, multipart boundary fix
+werkzeug>=3.1.5
+# Security: CVE-2025-68146 - TOCTOU symlink vulnerability
+filelock>=3.20.3
Review Comment:
**Suggestion:** Missing upper bound for `filelock`: without an upper bound,
future major releases could introduce incompatible behavior or regressions; add
a conservative upper bound to maintain stability. [possible bug]
<details>
<summary><b>Severity Level:</b> Major ⚠️</summary>
```mdx
- ❌ CI dependency installation may select incompatible filelock.
- ⚠️ Build/CLI file-locking tasks may throw runtime errors.
- ⚠️ Developer local scripts relying on filelock may break.
```
</details>
```suggestion
filelock>=3.20.3,<4.0.0
```
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. Open `requirements/base.in` and inspect lines 23-24 where
`filelock>=3.20.3` is
declared (`requirements/base.in:23-24`).
2. Install dependencies in a clean environment using that requirements file
(e.g., `python
-m venv .venv && .venv/bin/pip install -r requirements/base.in`), allowing
the resolver to
pick the latest available `filelock` major version.
3. If a future `filelock` 4.x is released and selected, run the test suite
or run scripts
that use `filelock` (typical usage patterns: file-based locking in build/cli
tasks). Any
incompatible API changes in 4.x will surface as failing tests or runtime
exceptions when
those code paths execute.
4. Observe concrete failures in CI or local runs during lock/acquire
operations calling
into `filelock` (manifesting as AttributeError/TypeError or changed
semantics).
```
</details>
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** requirements/base.in
**Line:** 24:24
**Comment:**
*Possible Bug: Missing upper bound for `filelock`: without an upper
bound, future major releases could introduce incompatible behavior or
regressions; add a conservative upper bound to maintain stability.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
```
</details>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
