[Snyk] Security upgrade aiohttp from 3.8.6 to 3.13.4#193
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-15873704 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-15873731 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-15873732 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-15873733 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-15873734 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-15873735 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-15873736 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-15873737 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-15873738 - https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-15873739
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| Pillow | ||
| stellar-sdk>=4.0.0,<6.0.0 | ||
| rlp>=1.1.0 ; python_version<'3.7' | ||
| aiohttp>=3.13.4 # not directly required, pinned by Snyk to avoid a vulnerability |
There was a problem hiding this comment.
Missing Python version marker for aiohttp dependency
Medium Severity
The newly added aiohttp>=3.13.4 requires Python >= 3.9, but this project supports Python >= 3.6 (per setup.py) and ^3.7 (per pyproject.toml). The dependency is missing a Python version environment marker like ; python_version>='3.9', which other entries in this same file already use (e.g., rlp). Installing optional dependencies on Python 3.7 or 3.8 will fail to resolve aiohttp.


Snyk has created this PR to fix 10 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
python/requirements-optional.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling
🦉 Information Exposure
Note
Low Risk
Low risk dependency-list change that only adds a pinned
aiohttpversion; main impact is potential install/compatibility issues for optional Python environments.Overview
Pins
aiohttp>=3.13.4inpython/requirements-optional.txtto address Snyk-reported vulnerabilities, adding it as an explicit optional dependency (even though it is not directly required).Written by Cursor Bugbot for commit eadfd64. This will update automatically on new commits. Configure here.