fix: pin idna>=3.15 to address medium Dependabot alert (SSRF via malformed Unicode) by devin-ai-integration[bot] · Pull Request #2239 · elementary-data/elementary

devin-ai-integration · 2026-05-24T05:58:44Z

Summary

Pin idna>=3.15,<4 as a direct dependency to address medium-severity Dependabot alert CVE-2025-46816 — SSRF via malformed Unicode in URL processing.

idna is a transitive dependency via requests. Without this pin, downstream users could resolve a vulnerable version (<3.15). The constraint >=3.15,<4 is compatible with requests's own idna>=2.5,<4 requirement.

Review & Testing Checklist for Human

Verify no downstream dependency conflicts (all dbt adapters still install cleanly with idna>=3.15)

Notes

This is a library (no lockfile), so the constraint takes effect when users install elementary-data
Linear ticket: https://linear.app/elementary/issue/CORE-863

Link to Devin session: https://app.devin.ai/sessions/3b77f05e8d024412af5fbeed3713803d
Requested by: @NoyaArie

Summary by CodeRabbit

Chores
- Pinned the idna dependency to a specific version range (>=3.15, <4) to ensure compatibility and stability across releases.

linear · 2026-05-24T05:58:46Z

CORE-863

devin-ai-integration · 2026-05-24T05:58:47Z

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

Disable automatic comment and CI monitoring

github-actions · 2026-05-24T05:58:52Z

👋 @devin-ai-integration[bot]
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in this pull request.

coderabbitai · 2026-05-24T05:58:55Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b8fc8dc3-76e4-4aaf-a5e7-12261f801c3a

📥 Commits

Reviewing files that changed from the base of the PR and between 7345ce4 and b03a46c.

📒 Files selected for processing (1)

pyproject.toml

🚧 Files skipped from review as they are similar to previous changes (1)

pyproject.toml

📝 Walkthrough

Walkthrough

The PR adds idna as a direct dependency with version constraint >=3.15,<4 to [tool.poetry.dependencies] in pyproject.toml.

Changes

Dependency Management

Layer / File(s)	Summary
Add idna dependency `pyproject.toml`	The `idna` library is added to `[tool.poetry.dependencies]` with version constraint `>=3.15,<4`.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I hopped through lines, a careful scout,
I pinned idna so bugs get out,
A carrot for versions, neat and small,
Safe strings leap, no tumble or fall. 🐇✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the main change: pinning idna to >=3.15 to address CVE-2025-46816 with a specific security issue (SSRF via malformed Unicode).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch core-863-fix-idna-dependabot-alert

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

elazarlachkar

One small comment; Please also rebase from master so the CI pass

…ormed Unicode) idna is a transitive dependency via requests. Pinning to >=3.15,<4 ensures the fix for CVE-2025-46816 is installed for all downstream users. Co-Authored-By: Noy Arie <noyarie1992@gmail.com>

Co-Authored-By: Noy Arie <noyarie1992@gmail.com>

devin-ai-integration · 2026-05-27T07:33:51Z

Done — rebased from master and added the comment. Both changes pushed.

devin-ai-integration Bot assigned NoyaArie May 24, 2026

devin-ai-integration Bot requested a review from NoyaArie May 24, 2026 05:58

arbiv approved these changes May 24, 2026

View reviewed changes

elazarlachkar requested changes May 27, 2026

View reviewed changes

Comment thread pyproject.toml Outdated

devin-ai-integration Bot and others added 2 commits May 27, 2026 07:33

fix: pin idna>=3.15 to address medium Dependabot alert (SSRF via malf…

9242ffd

…ormed Unicode) idna is a transitive dependency via requests. Pinning to >=3.15,<4 ensures the fix for CVE-2025-46816 is installed for all downstream users. Co-Authored-By: Noy Arie <noyarie1992@gmail.com>

add comment explaining idna pin per review feedback [run-e2e]

b03a46c

Co-Authored-By: Noy Arie <noyarie1992@gmail.com>

devin-ai-integration Bot force-pushed the core-863-fix-idna-dependabot-alert branch from 7345ce4 to b03a46c Compare May 27, 2026 07:33

elazarlachkar approved these changes May 27, 2026

View reviewed changes

elazarlachkar merged commit 17bd544 into master May 27, 2026
39 of 42 checks passed

elazarlachkar deleted the core-863-fix-idna-dependabot-alert branch May 27, 2026 08:39

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: pin idna>=3.15 to address medium Dependabot alert (SSRF via malformed Unicode)#2239

fix: pin idna>=3.15 to address medium Dependabot alert (SSRF via malformed Unicode)#2239
elazarlachkar merged 2 commits into
masterfrom
core-863-fix-idna-dependabot-alert

devin-ai-integration Bot commented May 24, 2026 •

edited by coderabbitai Bot

Loading

Uh oh!

linear Bot commented May 24, 2026

Uh oh!

devin-ai-integration Bot commented May 24, 2026

Uh oh!

github-actions Bot commented May 24, 2026

Uh oh!

coderabbitai Bot commented May 24, 2026 •

edited

Loading

Walkthrough

Changes

Estimated code review effort

Poem

Uh oh!

elazarlachkar left a comment

Uh oh!

Uh oh!

devin-ai-integration Bot commented May 27, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

devin-ai-integration Bot commented May 24, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Review & Testing Checklist for Human

Notes

Summary by CodeRabbit

Uh oh!

linear Bot commented May 24, 2026

Uh oh!

devin-ai-integration Bot commented May 24, 2026

🤖 Devin AI Engineer

Uh oh!

github-actions Bot commented May 24, 2026

Uh oh!

coderabbitai Bot commented May 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Poem

Uh oh!

elazarlachkar left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

devin-ai-integration Bot commented May 27, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

devin-ai-integration Bot commented May 24, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented May 24, 2026 •

edited

Loading