Loosen azure-core and requests pins to permit CVE-patched versions#320
Open
mividtim wants to merge 1 commit intolarsiusprime:masterfrom
Open
Loosen azure-core and requests pins to permit CVE-patched versions#320mividtim wants to merge 1 commit intolarsiusprime:masterfrom
mividtim wants to merge 1 commit intolarsiusprime:masterfrom
Conversation
azure-core and requests both follow SemVer, so the compatible-release (`~=`) minor-lock unnecessarily blocks patch versions that fix disclosed CVEs in downstream consumers. Specifically: - azure-core 1.39.0 patches GHSA-jm66-cg57-jjv5 (HIGH — deserialization) - requests 2.33.1 patches GHSA-9hjg-9r4m-mvj7 and GHSA-gc5v-m9x4-r6x2 Downstream users of openavmkit are currently forced to ship the vulnerable minor versions because the tight pins here block any upgrade. Loosening to full-major ranges (<2 / <3) is consistent with each library's SemVer guarantees and unblocks security patching without compromising API compatibility.
Contributor
|
Thank you for your contribution. I affirm that this contributor has signed the CLA You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot. |
mividtim
added a commit
to fabrica-land/openavmkit
that referenced
this pull request
Apr 14, 2026
pytest <=9.0.2 has a tmpdir-handling vulnerability on UNIX, fixed in 9.0.3. This branch is consumed only by fabrica-v3-api/avm-python-service and is not intended for upstream submission \u2014 the upstream PR (larsiusprime#320) covers the azure-core/requests loosening only.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Loosen two transitive dependency pins in
requirements.txtfrom compatible-release (~=) minor locks to SemVer-compatible major-range constraints, so downstream consumers can apply patched versions ofrequestsCVEs (and any future minor-version security patches) without forking.Why
The current
~=pins lockazure-coreto1.38.xandrequeststo2.32.x. Any CVE patched in a subsequent minor (e.g.1.39.x,2.33.x) cannot be applied by downstream consumers without forking or pinning-over.Currently blocked CVE
requests— GHSA-gc5v-m9x4-r6x2 — Insecure Temp File Reuse inextract_zipped_paths(). Severity: medium. First patched inrequests 2.33.0, which the current~=2.32.5pin disallows.Why also loosen
azure-coreazure-core's own current vulnerabilities (e.g. GHSA-jm66-cg57-jjv5, HIGH, deserialization) are already patched in1.38.0, so today's~=1.38.0pin technically covers them. The loosening here is forward-looking: the same minor-lock that's currently bitingrequestswill eventually biteazure-coretoo. Both libraries publish under SemVer; relaxing to<MAJOR+1keeps the upstream-declared compatibility contract while letting downstream consumers stay current on patches.Downstream impact
Our service (fabrica-land/avm-python-service) consumes
openavmkitand is transitively bound by these pins. Until this PR merges and a release ships, we have to either fork (what we're doing for now), usepip install --use-deprecated=legacy-resolver(which silently downgrades our pins to satisfy upstream — defeating the purpose), or knowingly ship therequestsMODERATE.Verification
The change is constraint-only — no runtime code touched. We have not run
openavmkit's test suite against the newer minors ourselves, so this PR does not assert empirical behavioral equivalence; it relies on the SemVer guarantees published byazure-coreandrequests.CLA
Happy to sign when the bot comments.