Pin secure versions of test dependencies to address CVEs#2043
Closed
rchiodo wants to merge 1 commit into
Closed
Conversation
The Debugpy-Build pipeline installs tests/requirements.txt, and Component Governance flags vulnerable versions in the installed dependency tree. Add secure minimum-version floors: - pytest>=9.0.3 (CVE-2025-71176) - requests>=2.33.0 (CVE-2026-25645) - urllib3>=2.7.0 (CVE-2026-44431, CVE-2026-44432; transitive via requests) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
StellaHuang95
approved these changes
Jun 24, 2026
heejaechang
reviewed
Jun 24, 2026
| requests>=2.33.0 # CVE-2026-25645 (vulnerable < 2.33.0) | ||
| # urllib3 is pulled in transitively by requests; pin a secure floor for | ||
| # CVE-2026-44431 and CVE-2026-44432 (vulnerable 2.6.0 <= x < 2.7.0). | ||
| urllib3>=2.7.0 |
Contributor
There was a problem hiding this comment.
📍 tests/requirements.txt:3-24
These packages were already unpinned before this PR, so a fresh resolve already installs the secure versions (9.1.1 / 2.34.2 / 2.7.0). The floors only document a minimum and block future downgrades — they don't change what gets installed today. If Component Governance is flagging urllib3 2.6.x, the downgrade likely originates from a lockfile, a constraints.txt, or a stale cached resolution in the Debugpy-Build pipeline that this file doesn't touch. Please confirm a real CG re-scan against the pipeline actually clears the alert rather than relying only on the local dry-run.
heejaechang
approved these changes
Jun 24, 2026
heejaechang
left a comment
heejaechang
left a comment
Contributor
There was a problem hiding this comment.
Approved via Review Center.
Contributor
Author
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
rchiodo
added a commit
that referenced
this pull request
Jun 24, 2026
* Drop Python 3.9/3.8 support and pin secure test dependency floors pytest>=9.0.3, requests>=2.33.0 and urllib3>=2.7.0 all require Python >=3.10, so they have no installable candidate on Python 3.9. Since Python 3.9 and 3.8 are EOL, drop them from the test matrix and bump the minimum supported version to 3.10, and add the CVE-driven dependency floors (supersedes #2043). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci: restore x86 Windows leg on Python 3.10 * ci: drop x86 Windows leg (gevent has no cp310-win32 wheel) The previously re-added py310_32 (32-bit Windows) leg runs `pip install -r tests/requirements.txt` on win32 CPython 3.10. gevent publishes no cp310-win32 wheel (only win_amd64), so pip would fall back to a source build of gevent/greenlet/libev/c-ares and risk failing the leg at install -- the same install-failure class this PR removes. numpy and Cython do ship cp310-win32 wheels, but there is no reliable PEP 508 marker to drop only gevent for a 32-bit interpreter on 64-bit Windows, so the leg is removed to keep CI green and consistent with the PR intent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Align pyproject.toml lint/type targets with Python 3.10 floor Bump [tool.pyright] pythonVersion and [tool.ruff] target-version from 3.8/py38 to 3.10/py310 (and update the comment) so the Lint stage and pyright validate against the supported floor this PR converges on. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds secure minimum-version floors for test dependencies that Component Governance flags as vulnerable. The
Debugpy-Buildpipeline installstests/requirements.txt, and CG scans the resulting (transitive) dependency tree, so the fix belongs here.CVEs addressed
Changes
pytest>=9.0.3requests>=2.33.0urllib3>=2.7.0— pulled in transitively byrequests, so an explicit floor is needed to force the secure version.Minimum-version (
>=) floors are used rather than exact pins so the suite continues to pick up future security releases.Verification
pip install --dry-runresolves the floors topytest 9.1.1,requests 2.34.2,urllib3 2.7.0— all patched, no conflicts.Notes
src/debugpy/_vendored/pydevd/are out of scope here and would be handled by a separate pydevd subrepo update.