[Snyk] Security upgrade ujson from 5.7.0 to 5.12.0#19
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-UJSON-15682605 - https://snyk.io/vuln/SNYK-PYTHON-UJSON-15682606
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| murmurhash>=0.28,<0.29 | ||
| plac<1.0.0,>=0.9.6 | ||
| ujson>=1.35 | ||
| ujson>=5.12.0 |
There was a problem hiding this comment.
Security fix incomplete: setup.py ujson version not updated
High Severity
The ujson version constraint in requirements.txt was bumped to >=5.12.0 to fix security vulnerabilities, but setup.py install_requires still specifies ujson>=1.35. Anyone installing this package via pip install . or from PyPI will resolve the old, vulnerable ujson version. The security fix is effectively incomplete because setup.py is the authoritative source for package installation dependencies.
| murmurhash>=0.28,<0.29 | ||
| plac<1.0.0,>=0.9.6 | ||
| ujson>=1.35 | ||
| ujson>=5.12.0 |
There was a problem hiding this comment.
ujson 5.12.0 requires Python 3.10, breaking project compatibility
High Severity
ujson>=5.12.0 requires Python 3.10+, but this project declares support for Python 2.7, 3.4, 3.5, and 3.6 in its setup.py classifiers. Installing with requirements.txt will fail on every Python version this project officially supports, since none of them meet ujson 5.12.0's minimum Python requirement.
2 participants
Snyk has created this PR to fix 2 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
requirements.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Integer Overflow or Wraparound
🦉 Missing Release of Memory after Effective Lifetime
Note
Low Risk
Low risk dependency-only change; main concern is potential minor behavior/performance differences in
ujsonaffecting JSON serialization/deserialization at runtime.Overview
Upgrades the
ujsondependency inrequirements.txtto>=5.12.0to address reported security vulnerabilities.Written by Cursor Bugbot for commit 26b0bf1. This will update automatically on new commits. Configure here.