[Snyk] Security upgrade zipp from 3.15.0 to 3.19.1#18
Conversation
…to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-ZIPP-7430899
|
Important Review skippedIgnore keyword(s) in the title. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds the zipp dependency to requirements-test.txt with a version constraint of >=3.19.1 to address a vulnerability. The reviewer recommends pinning zipp to an exact version (==3.19.1) to ensure reproducible test environments and maintain consistency with other pinned dependencies.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| google-cloud-storage==2.16.0 | ||
| pytest-xdist==3.5.0 | ||
| pytest==9.0.3; python_version >= "3.10" | ||
| zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
To ensure reproducible test environments and maintain consistency with the other pinned dependencies in this file, it is recommended to pin 'zipp' to an exact version ('==3.19.1') rather than using a range operator ('>=').
zipp==3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="people-and-planet-ai/image-classification/requirements-test.txt">
<violation number="1" location="people-and-planet-ai/image-classification/requirements-test.txt:4">
P2: Pin `zipp` to an exact version (`==3.19.1`) for consistency with the other dependencies in this file, which all use `==`. Using `>=` undermines reproducible test environments.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| google-cloud-storage==2.16.0 | ||
| pytest-xdist==3.5.0 | ||
| pytest==9.0.3; python_version >= "3.10" | ||
| zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
P2: Pin zipp to an exact version (==3.19.1) for consistency with the other dependencies in this file, which all use ==. Using >= undermines reproducible test environments.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At people-and-planet-ai/image-classification/requirements-test.txt, line 4:
<comment>Pin `zipp` to an exact version (`==3.19.1`) for consistency with the other dependencies in this file, which all use `==`. Using `>=` undermines reproducible test environments.</comment>
<file context>
@@ -1,3 +1,4 @@
google-cloud-storage==2.16.0
pytest-xdist==3.5.0
pytest==9.0.3; python_version >= "3.10"
+zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability
</file context>
| zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability | |
| zipp==3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability |
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
people-and-planet-ai/image-classification/requirements-test.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
Summary by cubic
Pin
zippto >=3.19.1 inpeople-and-planet-ai/image-classification/requirements-test.txtto resolve SNYK-PYTHON-ZIPP-7430899. This blocks vulnerable transitive versions in the test environment.Written for commit 5b2418d. Summary will update on new commits.