Skip to content

[Snyk] Security upgrade idna from 2.10 to 3.7 #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
deargvp1 wants to merge 1 commit into
base: main
Choose a base branch
from
+1 −0
Open

[Snyk] Security upgrade idna from 2.10 to 3.7 #7

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions composer/blog/gcp-tech-blog/unit-test-dags-cloud-build/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,4 @@
# see https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-pypi.html#constraints-files
apache-airflow[gcp]==1.10.15 # updates beyond 1.10.15 are untested with this code
apache-airflow-backport-providers-google==2021.3.3
idna>=3.7 # not directly required, pinned by Snyk to avoid a vulnerability
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

This change introduces a critical dependency conflict. While intended to fix SNYK-PYTHON-IDNA-6597975, upgrading to idna>=3.7 is incompatible with requests < 2.26.0. The PR description confirms that requests 2.23.0 is present in the environment, which strictly requires idna<3. This conflict will cause the installation to fail. To resolve this while addressing the security vulnerability, requests must also be upgraded to version 2.26.0 or higher, assuming it remains compatible with apache-airflow==1.10.15.

Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: This idna>=3.7 pin conflicts with requests 2.23.0 (a dependency of apache-airflow==1.10.15), which strictly requires idna<3,>=2.5. The requests library only added support for idna 3.x in version 2.26.0. This conflict will cause pip install to fail with a dependency resolution error. To fix the vulnerability without breaking installation, requests must also be upgraded to at least 2.26.0 (and compatibility with airflow 1.10.15 must be verified).

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At composer/blog/gcp-tech-blog/unit-test-dags-cloud-build/requirements.txt, line 5:

<comment>This `idna>=3.7` pin conflicts with `requests 2.23.0` (a dependency of `apache-airflow==1.10.15`), which strictly requires `idna<3,>=2.5`. The `requests` library only added support for `idna` 3.x in version 2.26.0. This conflict will cause `pip install` to fail with a dependency resolution error. To fix the vulnerability without breaking installation, `requests` must also be upgraded to at least 2.26.0 (and compatibility with airflow 1.10.15 must be verified).</comment>

<file context>
@@ -2,3 +2,4 @@
 # see https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-pypi.html#constraints-files
 apache-airflow[gcp]==1.10.15 # updates beyond 1.10.15 are untested with this code
 apache-airflow-backport-providers-google==2021.3.3
+idna>=3.7 # not directly required, pinned by Snyk to avoid a vulnerability
</file context>