Skip to content

uv.lock pins requests 2.32.3, below the 2.32.4 fix for CVE-2024-47081 #539

Description

@hamizan-azman

Hi, thanks for deepwiki-open. This is a low-priority dependency note about the lockfile.

The committed uv.lock pins requests to 2.32.3. That release is below 2.32.4, the version that fixes CVE-2024-47081 (also tracked as GHSA-9hjg-9r4m-mvj7), a .netrc credential leak through malicious redirect URLs. A fresh uv sync therefore installs a requests that still carries the issue. The api side is already fine, because api/poetry.lock resolves requests to 2.32.5.

Refreshing the uv lock so requests lands on 2.32.4 or later closes the gap. Please test compatibility first.

uv lock --upgrade-package requests

Low priority, and happy to open a PR if that helps.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions