bito-code-review[bot] commented on code in PR #39949: URL: https://github.com/apache/superset/pull/39949#discussion_r3201475313
########## requirements/base.in: ########## @@ -27,14 +27,16 @@ brotli>=1.2.0,<2.0.0 numexpr>=2.9.0 # Security: CVE-2026-34073 (MEDIUM) - Improper Certificate Validation cryptography>=46.0.7,<47.0.0 -# Security: Snyk - XSS vulnerability in Mako templates -mako>=1.3.11,<2.0.0 +# Security: CVE-2026-44307 - XSS vulnerability in Mako templates +mako>=1.3.12,<2.0.0 +# Security: CVE-2026-27205 - Flask vulnerability fixed in 3.1.3 +flask>=3.1.3,<4.0.0 # Security: CVE-2024-52338 (CRITICAL) - Deserialization of untrusted data in IPC/Parquet readers pyarrow>=20.0.0,<21.0.0 # Security: CVE-2026-27459 - pyopenssl certificate validation pyopenssl>=26.0.0,<27.0.0 Review Comment: <div> <div id="suggestion"> <div id="issue"><b>CWE-1395: Vulnerable Dependency Version</b></div> <div id="fix"> This change downgrades the requests library to versions >=2.28.0, which includes vulnerable versions for CVE-2026-25645 (fixed in 2.33.0+). Although the project does not appear to use the affected extract_zipped_paths function, maintaining secure dependency versions is best practice. The security comment suggests this is a fix, but it has the opposite effect. ([CWE-1395](https://cwe.mitre.org/data/definitions/1395.html)) </div> <details> <summary> <b>Code suggestion</b> </summary> <blockquote>Check the AI-generated fix before applying</blockquote> <div id="code"> ````suggestion requests>=2.33.0,<3.0.0 ```` </div> </details> </div> <small><i>Code Review Run #593264</i></small> </div> --- Should Bito avoid suggestions like this for future reviews? (<a href=https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules</a>) - [ ] Yes, avoid them -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
