Skip to content

[Arvion] Security remediation: Update SQLAlchemy to 2.0.43 and other project dependencies #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
arvion-bot-dev-felipe2 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Arvion] Security remediation: Update SQLAlchemy to 2.0.43 and other project dependencies #7

arvion-bot-dev-felipe2 wants to merge 1 commit into from

Conversation

@arvion-bot-dev-felipe2
Copy link

@arvion-bot-dev-felipe2 arvion-bot-dev-felipe2 bot commented Oct 2, 2025

Arvion Logo
Automated Security Remediation

📂 Files Modified

  • setup.py

    • Updated the version constraints for several dependencies in install_requires as per the migration plan, including requests, PyYAML, Flask, Jinja2, SQLAlchemy, urllib3, and Werkzeug. The python_requires was also changed from Python 2.7 to >=3.8 to support the new versions of these libraries, particularly Flask and Werkzeug.

  • app/database.py

    • The file was updated to be compatible with SQLAlchemy 2.0.43. The legacy declarative_base API was replaced with the modern DeclarativeBase superclass and Mapped annotations for model definitions. A raw SQL query was wrapped with text() as required by the new execute() behavior. Additionally, due to the project-wide Python version update to 3.8+, minor compatibility changes were made, such as renaming the __unicode__ method to __str__ and replacing a reference to the non-existent unicode type with str.

🔄 Migrations Performed

requests 2.5.3 → 2.32.5

🔒 Vulnerabilities Fixed:

  • Medium severity [CVE-2024-47081]: Requests vulnerable to .netrc credentials leak via malicious URLs
  • Medium severity [CVE-2024-35195]: Requests Session object does not verify requests after making first request with verify=False
  • Medium severity [CVE-2023-32681]: Unintended leak of Proxy-Authorization header in requests
  • Medium severity [CVE-2015-2296]: Python Requests Session Fixation
  • High severity [CVE-2018-18074]: Insufficiently Protected Credentials in Requests

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

pyyaml 3.12 → 6.0.3

🔒 Vulnerabilities Fixed:

  • Critical severity [CVE-2020-14343]: Improper Input Validation in PyYAML
  • Critical severity [CVE-2017-18342]: PyYAML insecurely deserializes YAML strings leading to arbitrary code execution

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

flask 0.12.2 → 3.1.2

🔒 Vulnerabilities Fixed:

  • High severity [CVE-2018-1000656]: Flask is vulnerable to Denial of Service via incorrect encoding of JSON data
  • High severity [CVE-2019-1010083]: Pallets Project Flask is vulnerable to Denial of Service via Unexpected memory usage
  • High severity [CVE-2023-30861]: Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

jinja2 2.8 → 3.1.6

🔒 Vulnerabilities Fixed:

  • High severity [CVE-2019-10906]: Jinja2 sandbox escape via string formatting
  • Medium severity [CVE-2025-27516]: Jinja2 vulnerable to sandbox breakout through attr filter selecting format method
  • Medium severity [CVE-2020-28493]: Regular Expression Denial of Service (ReDoS) in Jinja2
  • Medium severity [CVE-2024-22195]: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
  • Medium severity [CVE-2024-34064]: Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
  • High severity [CVE-2016-10745]: Jinja2 sandbox escape vulnerability
  • Medium severity [CVE-2024-56326]: Jinja has a sandbox breakout through indirect reference to format method

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

sqlalchemy 1.0.0 → 2.0.43

🔒 Vulnerabilities Fixed:

  • Critical severity [CVE-2019-7548]: SQLAlchemy is vulnerable to SQL Injection via group_by parameter
  • Critical severity [CVE-2019-7164]: SQLAlchemy vulnerable to SQL Injection via order_by parameter

⚠️ Breaking Changes Applied:

Symbol: sqlalchemy.ext.declarative.declarative_base

  • The sqlalchemy.ext.declarative.declarative_base function has been removed. The new declarative mapping API, using DeclarativeBase and type annotations with Mapped, should be used instead.

Symbol: sqlalchemy.create_engine

  • The execute() method now requires SQL strings to be explicitly wrapped using sqlalchemy.text(). This is a consequence of SQLAlchemy 2.0+ defaulting to future=True mode.

urllib3 1.20 → 2.5.0

🔒 Vulnerabilities Fixed:

  • Medium severity [CVE-2024-37891]: urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects
  • Medium severity [CVE-2023-45803]: urllib3's request body not stripped after redirect from 303 status changes request method to GET
  • Medium severity [CVE-2018-25091]: Authorization Header forwarded on redirect
  • High severity [CVE-2019-11324]: Improper Certificate Validation in urllib3
  • Medium severity [CVE-2025-50181]: urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation
  • Medium severity [CVE-2019-11236]: Improper Neutralization of CRLF Sequences in urllib3 library for Python
  • High severity [CVE-2023-43804]: Cookie HTTP header isn't stripped on cross-origin redirects
  • Medium severity [CVE-2020-26137]: CRLF injection in urllib3
  • Critical severity [CVE-2018-20060]: Exposure of Sensitive Information to an Unauthorized Actor in urllib3
  • No severity [CVE-2021-33503]: An issue was discovered in urllib3 before 1.26.5. ...

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

werkzeug 0.11 → 3.1.3

🔒 Vulnerabilities Fixed:

  • High severity [CVE-2024-34069]: Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
  • Medium severity [CVE-2020-28724]: Open Redirect in werkzeug
  • Medium severity [CVE-2024-49766]: Werkzeug safe_join not safe on Windows
  • High severity [CVE-2019-14806]: Pallets Werkzeug Insufficient Entropy
  • Medium severity [CVE-2016-10516]: Pallets Werkzeug cross-site scripting vulnerability
  • Medium severity [CVE-2023-46136]: Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
  • High severity [CVE-2019-14322]: Pallets Werkzeug vulnerable to Path Traversal
  • Low severity [CVE-2023-23934]: Incorrect parsing of nameless cookies leads to __Host- cookies bypass
  • Medium severity [CVE-2024-49767]: Werkzeug possible resource exhaustion when parsing file data in forms
  • High severity [CVE-2023-25577]: High resource usage when parsing multipart form data with many fields
  • No severity [CVE-2022-29361]: ** DISPUTED ** Improper parsing of HTTP requests i...

⚠️ Breaking Changes Applied:

No breaking changes were applied for this dependency.

🛠️ Additional Notes

  • Testing: Please ensure thorough testing after merging this PR to verify that all upgrades are compatible with your codebase.
  • Documentation: For detailed vulnerability reports and release notes, refer to the security advisories.
  • Support: For any questions or concerns, contact the Arvion Security Team at hello@arvion.ai.

📢 This PR was generated by Arvion's automated remediation system to enhance your repository's security while maintaining stability. 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant