fix(deps): bump urllib3, cryptography, idna, requests, Pygments, pytest to patch Dependabot alerts#823
Merged
sbrunner merged 1 commit intoJun 22, 2026
Conversation
266c2eb to
7a82872
Compare
There was a problem hiding this comment.
Pull request overview
This PR updates the Poetry dependency set to address Dependabot security alerts by bumping several affected packages and regenerating poetry.lock with newer resolved versions.
Changes:
- Bumped pytest to the 9.x series and updated the lockfile accordingly.
- Added explicit minimum-version constraints for cryptography/idna/requests/Pygments/urllib3 in
pyproject.toml. - Regenerated
poetry.lock(now marked as generated by Poetry 2.4.1) to capture the upgraded dependency graph.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| pyproject.toml | Updates dev dependency constraints (pytest + adds min versions for several security-flagged packages). |
| poetry.lock | Regenerated lockfile reflecting upgraded versions (cryptography/idna/requests/Pygments/urllib3/pytest, etc.). |
Comments suppressed due to low confidence (1)
pyproject.toml:99
- These minimum versions don't match the patched versions stated in the PR description / lockfile (e.g., cryptography is locked to 49.0.0 but allows >=48.0.1, idna is locked to 3.18 but allows >=3.15). That makes it easy for a future lock refresh to downgrade back into a vulnerable range. Consider constraining these to the actual minimum patched versions and keeping them within the current major series (caret constraints) for stability.
[tool.ruff]
target-version = "py39"
line-length = 120
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
7a82872 to
05237fb
Compare
…st to patch Dependabot alerts - urllib3 2.6.3 -> 2.7.0 (alerts prospector-dev#50, prospector-dev#51) - cryptography 46.0.4 -> 49.0.0 (alerts prospector-dev#43, prospector-dev#46, prospector-dev#48, prospector-dev#53) - idna 3.11 -> 3.18 (alert prospector-dev#52) - requests 2.32.5 -> 2.34.2 (alert prospector-dev#45) - Pygments 2.19.2 -> 2.20.0 (alert prospector-dev#47) - pytest 7.4.4 -> 9.1.1 (alert prospector-dev#49)
05237fb to
b74e07e
Compare
Member
Author
|
Fix some alert before creating a new release :-) |
Pierre-Sassoulas
approved these changes
Jun 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes open Dependabot alerts by bumping affected dependencies to their minimum patched versions: