From 0f9777f2ab1359f1140a949cbed9ed3a27b31631 Mon Sep 17 00:00:00 2001
From: Tim Garthwaite <tim@fabrica.land>
Date: Tue, 14 Apr 2026 09:38:47 -0400
Subject: [PATCH] Loosen azure-core and requests pins to permit CVE-patched
 versions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

azure-core and requests both follow SemVer, so the compatible-release
(`~=`) minor-lock unnecessarily blocks patch versions that fix
disclosed CVEs in downstream consumers.

Specifically:
  - azure-core 1.39.0 patches GHSA-jm66-cg57-jjv5 (HIGH — deserialization)
  - requests 2.33.1 patches GHSA-9hjg-9r4m-mvj7 and GHSA-gc5v-m9x4-r6x2

Downstream users of openavmkit are currently forced to ship the
vulnerable minor versions because the tight pins here block any upgrade.
Loosening to full-major ranges (<2 / <3) is consistent with each
library's SemVer guarantees and unblocks security patching without
compromising API compatibility.
---
 requirements.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index 6741e3d0..8db76da9 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -33,8 +33,8 @@ geopandas~=1.1.2
 matplotlib~=3.10.8
 pyproj~=3.7.2
 shapely~=2.1.2
-azure-core~=1.38.0
-requests~=2.32.5
+azure-core>=1.38.0,<2
+requests>=2.32.5,<3
 joblib~=1.5.3
 scipy>=1.11.4,<1.17
 scikit-learn~=1.8.0