Skip to content

Update dependencies to fix 11 CVEs#1645

Open
jamestford wants to merge 1 commit into
jmfernandes:masterfrom
jamestford:fix/update-dependencies
Open

Update dependencies to fix 11 CVEs#1645
jamestford wants to merge 1 commit into
jmfernandes:masterfrom
jamestford:fix/update-dependencies

Conversation

@jamestford

Copy link
Copy Markdown

Summary

Updates pinned dependency versions to resolve 11 known CVEs.

Changes

  • cryptography: 41.0.3 → >=46.0.5 (fixes 7 CVEs)
  • requests: 2.31.0 → >=2.32.4 (fixes 2 CVEs)
  • Changed pinned versions (==) to minimum versions (>=) for flexibility
  • Bumped version to 3.4.1

CVEs Fixed

cryptography

Severity CVE
HIGH CVE-2023-50782 (Bleichenbacher timing oracle attack)
HIGH CVE-2024-26130 (NULL pointer dereference)
HIGH CVE-2026-26007 (Subgroup attack due to missing validation)
MEDIUM CVE-2023-49083 (NULL-dereference loading PKCS7)
MEDIUM CVE-2024-0727 (OpenSSL denial of service)
MEDIUM GHSA-h4gh-qq45-vh27 (Vulnerable OpenSSL in wheels)
LOW GHSA-v8gr-m533-ghj9 (Vulnerable OpenSSL in wheels)

requests

Severity CVE
MEDIUM CVE-2024-35195 (Cert verification bypass after first request)
MEDIUM CVE-2024-47081 (.netrc credentials leak via malicious URLs)

Testing

No functional code changes — only dependency version bumps. Existing tests should pass unchanged.

- cryptography: 41.0.3 -> >=46.0.5 (fixes CVE-2023-50782, CVE-2024-26130, CVE-2026-26007, CVE-2023-49083, CVE-2024-0727, GHSA-h4gh-qq45-vh27, GHSA-v8gr-m533-ghj9)
- requests: 2.31.0 -> >=2.32.4 (fixes CVE-2024-35195, CVE-2024-47081)
- Changed pinned versions to minimum versions for flexibility
- Bumped version to 3.4.1
DhruvaBansal00 added a commit to DhruvaBansal00/robin_stocks that referenced this pull request May 23, 2026
Upstream PR jmfernandes#1645 (jmfernandes/robin_stocks). Pins to recent versions
that fix 11 CVEs across the cryptography and requests dependency
chains, including CVE-2023-50782 and CVE-2024-26130. Also raises the
floors in install_requires so the SDK ships with the same minimum
guarantees as the requirements file.

Supersedes Dependabot PRs jmfernandes#494 and jmfernandes#495 which targeted older versions.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DhruvaBansal00 added a commit to DhruvaBansal00/robin_stocks that referenced this pull request May 23, 2026
@DhruvaBansal00

Copy link
Copy Markdown

Thanks for this contribution! jmfernandes/robin_stocks appears to be unmaintained, so I've started a community-maintained fork at https://github.com/DhruvaBansal00/robin_stocks_v2 and merged this PR there: DhruvaBansal00/robin_stocks_v2@b68c66b

It's included with test coverage in the new repo, alongside 11 other open PRs from here. If you'd like a maintained build with this change, that's where to find it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants