Skip to content

[Arvion] Security remediation: Update SQLAlchemy to 2.0.43 and other dependencies #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
arvion-bot-dev-felipe2 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Arvion] Security remediation: Update SQLAlchemy to 2.0.43 and other dependencies #1

arvion-bot-dev-felipe2 wants to merge 1 commit into from

Conversation

@arvion-bot-dev-felipe2
Copy link

@arvion-bot-dev-felipe2 arvion-bot-dev-felipe2 bot commented Sep 13, 2025

Arvion Logo
Automated Security Remediation

📂 Files Modified

  • setup.py

    • Updated dependency versions in install_requires to match the target versions for requests, PyYAML, Flask, Jinja2, SQLAlchemy, urllib3, and Werkzeug. Also updated python_requires from Python 2.7 to '>=3.8' to support the new versions of these dependencies, as many of them have dropped Python 2 support.

  • app/database.py

    • Applied several migrations for SQLAlchemy 2.0 compatibility. The call to create_engine was updated to include the mandatory future=True argument. Column declarations were updated to explicitly provide the column name as the first argument to align with the updated constructor signature. Additionally, Python 2-specific syntax such as the __unicode__ method, u'' string literals, and the unicode type have been updated to their Python 3 equivalents (__str__, '', str) to ensure compatibility with the upgraded dependencies which require a Python 3 runtime.

🔄 Migrations Performed

requests 2.5.3 → 2.32.5

🔒 Vulnerabilities Fixed:

  • Medium severity [CVE-2024-47081]: Requests vulnerable to .netrc credentials leak via malicious URLs
  • Medium severity [CVE-2024-35195]: Requests Session object does not verify requests after making first request with verify=False
  • Medium severity [CVE-2023-32681]: Unintended leak of Proxy-Authorization header in requests
  • Medium severity [CVE-2015-2296]: Python Requests Session Fixation
  • High severity [CVE-2018-18074]: Insufficiently Protected Credentials in Requests

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

pyyaml 3.12 → 6.0.2

🔒 Vulnerabilities Fixed:

  • Critical severity [CVE-2020-14343]: Improper Input Validation in PyYAML
  • Critical severity [CVE-2017-18342]: PyYAML insecurely deserializes YAML strings leading to arbitrary code execution

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

flask 0.12.2 → 3.1.2

🔒 Vulnerabilities Fixed:

  • High severity [CVE-2018-1000656]: Flask is vulnerable to Denial of Service via incorrect encoding of JSON data
  • High severity [CVE-2019-1010083]: Pallets Project Flask is vulnerable to Denial of Service via Unexpected memory usage
  • High severity [CVE-2023-30861]: Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

jinja2 2.8 → 3.1.6

🔒 Vulnerabilities Fixed:

  • High severity [CVE-2019-10906]: Jinja2 sandbox escape via string formatting
  • Medium severity [CVE-2025-27516]: Jinja2 vulnerable to sandbox breakout through attr filter selecting format method
  • Medium severity [CVE-2020-28493]: Regular Expression Denial of Service (ReDoS) in Jinja2
  • Medium severity [CVE-2024-22195]: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
  • Medium severity [CVE-2024-34064]: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
  • High severity [CVE-2016-10745]: Jinja2 sandbox escape vulnerability
  • Medium severity [CVE-2024-56326]: Jinja has a sandbox breakout through indirect reference to format method

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

sqlalchemy 1.0.0 → 2.0.43

🔒 Vulnerabilities Fixed:

  • Critical severity [CVE-2019-7548]: SQLAlchemy is vulnerable to SQL Injection via group_by parameter
  • Critical severity [CVE-2019-7164]: SQLAlchemy vulnerable to SQL Injection via order_by parameter

⚠️ Breaking Changes Applied:

Symbol: sqlalchemy.Column

  • The Column constructor signature has changed, now explicitly defining name and type_ as the first two positional arguments. Previously, the type could sometimes be the first positional argument if the name was omitted or handled differently.

Symbol: sqlalchemy.create_engine

  • The future=True parameter is now mandatory for SQLAlchemy 2.0 and later for enabling modern SQL features.

urllib3 1.20 → 2.5.0

🔒 Vulnerabilities Fixed:

  • Medium severity [CVE-2024-37891]: urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects
  • Medium severity [CVE-2023-45803]: urllib3's request body not stripped after redirect from 303 status changes request method to GET
  • Medium severity [CVE-2018-25091]: Authorization Header forwarded on redirect
  • High severity [CVE-2019-11324]: Improper Certificate Validation in urllib3
  • Medium severity [CVE-2025-50181]: urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation
  • Medium severity [CVE-2019-11236]: Improper Neutralization of CRLF Sequences in urllib3 library for Python
  • High severity [CVE-2023-43804]: Cookie HTTP header isn't stripped on cross-origin redirects
  • Medium severity [CVE-2020-26137]: CRLF injection in urllib3
  • Critical severity [CVE-2018-20060]: Exposure of Sensitive Information to an Unauthorized Actor in urllib3
  • No severity [CVE-2021-33503]: An issue was discovered in urllib3 before 1.26.5. ...

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

werkzeug 0.11 → 3.1.3

🔒 Vulnerabilities Fixed:

  • High severity [CVE-2024-34069]: Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
  • Medium severity [CVE-2020-28724]: Open Redirect in werkzeug
  • Medium severity [CVE-2024-49766]: Werkzeug safe_join not safe on Windows
  • High severity [CVE-2019-14806]: Pallets Werkzeug Insufficient Entropy
  • Medium severity [CVE-2016-10516]: Pallets Werkzeug cross-site scripting vulnerability
  • Medium severity [CVE-2023-46136]: Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
  • High severity [CVE-2019-14322]: Pallets Werkzeug vulnerable to Path Traversal
  • Low severity [CVE-2023-23934]: Incorrect parsing of nameless cookies leads to __Host- cookies bypass
  • Medium severity [CVE-2024-49767]: Werkzeug possible resource exhaustion when parsing file data in forms
  • High severity [CVE-2023-25577]: High resource usage when parsing multipart form data with many fields
  • No severity [CVE-2022-29361]: ** DISPUTED ** Improper parsing of HTTP requests i...

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

🛠️ Additional Notes

  • Testing: Please ensure thorough testing after merging this PR to verify that all upgrades are compatible with your codebase.
  • Documentation: For detailed vulnerability reports and release notes, refer to the security advisories.
  • Support: For any questions or concerns, contact the Arvion Security Team at hello@arvion.ai.

📢 This PR was generated by Arvion's automated remediation system to enhance your repository's security while maintaining stability. 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant