From f50d70e49fb1fb41c9cd491b4422ae03fd0bd8a6 Mon Sep 17 00:00:00 2001 From: Tim Garthwaite Date: Tue, 14 Apr 2026 09:38:47 -0400 Subject: [PATCH] Loosen azure-core and requests pins to permit CVE-patched versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit azure-core and requests both follow SemVer, so the compatible-release (`~=`) minor-lock unnecessarily blocks patch versions that fix disclosed CVEs in downstream consumers. Specifically: - azure-core 1.39.0 patches GHSA-jm66-cg57-jjv5 (HIGH — deserialization) - requests 2.33.1 patches GHSA-9hjg-9r4m-mvj7 and GHSA-gc5v-m9x4-r6x2 Downstream users of openavmkit are currently forced to ship the vulnerable minor versions because the tight pins here block any upgrade. Loosening to full-major ranges (<2 / <3) is consistent with each library's SemVer guarantees and unblocks security patching without compromising API compatibility. --- requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements.txt b/requirements.txt index 4d9f43f..34af916 100644 --- a/requirements.txt +++ b/requirements.txt @@ -36,11 +36,11 @@ geopandas~=1.1.2 matplotlib~=3.10.9 pyproj~=3.7.2 shapely~=2.1.2 -azure-core~=1.38.1 -requests~=2.34.2 +azure-core>=1.38.0,<2 +requests>=2.32.5,<3 joblib~=1.5.3 scipy>=1.11.4,<1.17 scikit-learn~=1.8.0 tqdm~=4.67.3 rasterio~=1.4.0 -seamless-3dep>=0.4.1,<0.6 \ No newline at end of file +seamless-3dep>=0.4.1,<0.6