fix: resolve open dependabot security alerts#110
fix: resolve open dependabot security alerts#110jonathannorris wants to merge 7 commits intomainfrom
Conversation
black>=26.3.1 requires Python 3.10+, but unit tests run on 3.9. Move black, mypy, and ruff into a separate requirements.lint.txt used only by the lint workflow (Python 3.12).
There was a problem hiding this comment.
Pull request overview
Resolves multiple Dependabot security alerts by bumping minimum versions of vulnerable Python dependencies and aligning CI to a dedicated lint dependency set.
Changes:
- Bumped
requestsminimum version inrequirements.txt. - Bumped test dependency
pytestminimum version and reorganized dev dependencies by introducingrequirements.lint.txt. - Bumped example Django app minimum Django version and updated the lint workflow to install lint-only requirements.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| requirements.txt | Raises minimum requests version to address security alerts. |
| requirements.test.txt | Updates pytest minimum version and trims lint-only tooling from test deps. |
| requirements.lint.txt | New lint requirements file (black/mypy/ruff + type stubs). |
| example/django-app/requirements.txt | Raises minimum Django version for the example app. |
| .github/workflows/lint.yml | Switches lint CI to install from requirements.lint.txt. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Python 3.9 reached EOL in October 2025. requests>=2.33.0 requires Python>=3.10, so we replace 3.9 with 3.10 in the test matrix.
- Relax types-requests and types-urllib3 pin to allow versions compatible with requests >= 2.33.0 and urllib3 >= 1.15.1 - Update django example README to reflect Django 6.0.4+ requirement
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 7 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- setup.py: raise python_requires to >=3.10 (Django 6.0 requires 3.10+, CI matrix already reflects this) - example/django-app/README.md: update "Python 3.7+" -> "Python 3.10+" - requirements.test.txt: tighten pytest>=9.0.3 -> pytest~=9.0.3 for reproducibility - requirements.lint.txt: align types-requests~=2.32.0 -> ~=2.33.0 with bumped runtime dep
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 7 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| python_requires=">=3.10", | ||
| packages=find_packages(), |
There was a problem hiding this comment.
python_requires is bumped from >=3.9 to >=3.10, which is a breaking support-policy change and is not mentioned in the PR description (which frames this as dependency bumps only). If dropping 3.9 support is intentional, please also update the repo’s documented/checked minimums (e.g., README Requirements and pyproject’s tool configs currently reference 3.9) and consider whether a major version bump/release note is needed; otherwise revert this to keep 3.9 support.
| pytest~=9.0.3 | ||
| pytest-benchmark~=4.0.0 |
There was a problem hiding this comment.
requirements.test.txt now requires pytest~=9.0.3, but pyproject.toml’s [tool.pytest.ini_options] minversion is still set to 7.0. This mismatch can cause confusing failures depending on how pytest is invoked; update the configured minversion to match the dependency (or keep pytest in the 7.x/8.x range if that’s the intended minimum).
Summary
Resolved 9 open Dependabot security alerts by bumping vulnerable dependencies.
Dependabot Alerts Resolved
requestsrequestsrequestspytestDjangoDjangoDjangoDjangoDjango