chore(deps): bump urllib3 from 2.6.3 to 2.7.0 in /examples/example-ai-together-ai

[dependabot]

Bumps urllib3 from 2.6.3 to 2.7.0.

Release notes

Sourced from urllib3's releases.

2.7.0

🚀 urllib3 is fundraising for HTTP/2 support

urllib3 is raising ~$40,000 USD to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects please consider contributing financially to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.

Thank you for your support.

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

• Decompression-bomb safeguards of the streaming API were bypassed:

  1. When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially. (Reported by @​Cycloctane)
  2. During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli library. (Reported by @​kimkou2024)

  See GHSA-mf9v-mfxr-j63j for details.

• HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc reported by @​christos-spearbit)

Deprecations and Removals

• Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. (urllib3/urllib3#3763)
• Removed support for end-of-life Python 3.9. (urllib3/urllib3#3720)
• Removed support for end-of-life PyPy3.10. (urllib3/urllib3#4979)
• Bumped the minimum supported pyOpenSSL version to 19.0.0. (urllib3/urllib3#3777)

Bugfixes

• Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. (urllib3/urllib3#3636)
• Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True. (urllib3/urllib3#4967)
• Fixed HTTPResponse.stream() and HTTPResponse.read_chunked() to handle amt=0. (urllib3/urllib3#3793)
• Updated _TYPE_BODY type alias to include missing Iterable[str], matching the documented and runtime behavior of chunked request bodies. (urllib3/urllib3#3798)
• Fixed LocationParseError when paths resembling schemeless URIs were passed to HTTPConnectionPool.urlopen(). (urllib3/urllib3#3352)
• Fixed BaseHTTPResponse.readinto() type annotation to accept memoryview in addition to bytearray, matching the io.RawIOBase.readinto contract and enabling use with io.BufferedReader without type errors. (urllib3/urllib3#3764)

Changelog

Sourced from urllib3's changelog.

2.7.0 (2026-05-07)

Security

Addressed high-severity security issues. Impact was limited to specific use cases detailed in the accompanying advisories; overall user exposure was estimated to be marginal.

• Decompression-bomb safeguards of the streaming API were bypassed:

  1. When HTTPResponse.drain_conn() was called after the response had been read and decompressed partially.
  2. During the second HTTPResponse.read(amt=N) or HTTPResponse.stream(amt=N) call when the response was decompressed using the official Brotli <https://pypi.org/project/brotli/>__ library.

  See GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>__ for details.

• HTTP pools created using ProxyManager.connection_from_url did not strip sensitive headers specified in Retry.remove_headers_on_redirect when redirecting to a different host. (GHSA-qccp-gfcp-xxvc <https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc>__)

Deprecations and Removals

• Used FutureWarning instead of DeprecationWarning for better visibility of existing deprecation notices. Rescheduled the removal of deprecated features to version 3.0. ([#3763](https://github.com/urllib3/urllib3/issues/3763) <https://github.com/urllib3/urllib3/issues/3763>__)
• Removed support for end-of-life Python 3.9. ([#3720](https://github.com/urllib3/urllib3/issues/3720) <https://github.com/urllib3/urllib3/issues/3720>__)
• Removed support for end-of-life PyPy3.10. ([#4979](https://github.com/urllib3/urllib3/issues/4979) <https://github.com/urllib3/urllib3/issues/4979>__)
• Bumped the minimum supported pyOpenSSL version to 19.0.0. ([#3777](https://github.com/urllib3/urllib3/issues/3777) <https://github.com/urllib3/urllib3/issues/3777>__)

Bugfixes

• Fixed a bug where HTTPResponse.read(amt=None) was ignoring decompressed data buffered from previous partial reads. ([#3636](https://github.com/urllib3/urllib3/issues/3636) <https://github.com/urllib3/urllib3/issues/3636>__)
• Fixed a bug where HTTPResponse.read() could cache only part of the response after a partial read when cache_content=True.

... (truncated)

Commits

• 9a950b9 Release 2.7.0
• 5ec0de4 Merge commit from fork
• 2bdcc44 Merge commit from fork
• f45b0df Fix a misleading example for ProxyManager (#4970)
• 577193c Switch to nightly PyPy3.11 in CI for now (#4984)
• e90af45 Avoid infinite loop in HTTPResponse.read_chunked when amt=0 (#4974)
• 67ed74f Bump dev dependencies (#4972)
• 3abd481 Upgrade mypy to version 1.20.2 (#4978)
• 2b8725d Drop support for EOL PyPy3.10 (#4979)
• 2944b2a Upgrade setup-chrome and setup-firefox to fix warnings (#4973)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	semantic-kernel@​1.36.0
	django@​5.2.7
	django@​5.2.4
	setuptools@​80.9.0
	setuptools@​82.0.1
	requests@​2.15.1
	litellm@​1.83.7
	langchain-community@​0.4.1
	google-genai@​1.69.0
	google-genai@​1.68.0
	langchain-core@​1.2.23
	langchain-core@​1.2.22
	wheel@​0.45.1
	lxml@​6.0.0
	mypy@​1.16.1
	langgraph@​1.1.3
	langgraph@​1.1.4
	crewai@​0.95.0
	llama-index@​0.14.19
	pydantic-ai@​1.71.0
	pytest@​8.4.1
	pytest@​8.4.2
	openai-agents@​0.13.1
	google-genai@​1.24.0
	pre-commit@​4.2.0
	coverage@​7.9.2
	dspy@​3.1.3
	openai@​2.29.0
	openai@​2.30.0
	portkey-ai@​2.2.0
	smolagents@​1.24.0
	instructor@​1.14.5
	uvicorn@​0.42.0
See 66 more rows in the dashboard

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Critical CVE: Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. CVE: GHSA-frmv-pr5f-9mcr Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. (CRITICAL) Affected versions: >= 5.2a1 < 5.2.8; >= 5.0a1 < 5.1.14; < 4.2.26 Patched version: 5.2.8 From: pyproject.toml → pypi/django@5.2.4 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Critical CVE: Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. CVE: GHSA-frmv-pr5f-9mcr Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. (CRITICAL) Affected versions: >= 5.2a1 < 5.2.8; >= 5.0a1 < 5.1.14; < 4.2.26 Patched version: 5.2.8 From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Critical CVE: Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK in pypi semantic-kernel CVE: GHSA-2ww3-72rp-wpp4 Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK (CRITICAL) Affected versions: < 1.39.3 Patched version: 1.39.3 From: examples/example-ai-semantic-kernel/pyproject.toml → pypi/semantic-kernel@1.36.0 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/semantic-kernel@1.36.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Critical CVE: Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution in pypi semantic-kernel CVE: GHSA-xjw9-4gw8-4rqx Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution (CRITICAL) Affected versions: < 1.39.4 Patched version: 1.39.4 From: examples/example-ai-semantic-kernel/pyproject.toml → pypi/semantic-kernel@1.36.0 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/semantic-kernel@1.36.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django is subject to SQL injection through its column aliases CVE: GHSA-6w2r-r2m5-xq5w Django is subject to SQL injection through its column aliases (HIGH) Affected versions: < 4.2.24; >= 5.0a1 < 5.1.12; >= 5.2a1 < 5.2.6 Patched version: 5.2.6 From: pyproject.toml → pypi/django@5.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django has an SQL Injection issue CVE: GHSA-gvg8-93h5-g6qq Django has an SQL Injection issue (HIGH) Affected versions: >= 6.0a1 < 6.0.2; >= 5.2a1 < 5.2.11; >= 4.2a1 < 4.2.28 Patched version: 5.2.11 From: pyproject.toml → pypi/django@5.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django has an SQL Injection issue CVE: GHSA-mwm9-4648-f68q Django has an SQL Injection issue (HIGH) Affected versions: >= 6.0a1 < 6.0.2; >= 5.2a1 < 5.2.11; >= 4.2a1 < 4.2.28 Patched version: 5.2.11 From: pyproject.toml → pypi/django@5.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django vulnerable to Uncontrolled Resource Consumption CVE: GHSA-8p8v-wh79-9r56 Django vulnerable to Uncontrolled Resource Consumption (HIGH) Affected versions: >= 6.0 < 6.0.3; >= 5.2 < 5.2.12; >= 4.2 < 4.2.29 Patched version: 5.2.12 From: pyproject.toml → pypi/django@5.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django vulnerable to ASGI header spoofing via underscore/hyphen conflation CVE: GHSA-mvfq-ggxm-9mc5 Django vulnerable to ASGI header spoofing via underscore/hyphen conflation (HIGH) Affected versions: >= 6.0 < 6.0.4; >= 5.2 < 5.2.13; >= 4.2 < 4.2.30 Patched version: 5.2.13 From: pyproject.toml → pypi/django@5.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django: SGI requests with a missing or understated Content-Length header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit CVE: GHSA-933h-hp56-hf7m Django: SGI requests with a missing or understated Content-Length header could bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit (HIGH) Affected versions: >= 6.0 < 6.0.4; >= 5.2 < 5.2.13; >= 4.2 < 4.2.30 Patched version: 5.2.13 From: pyproject.toml → pypi/django@5.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django vulnerable to SQL injection in column aliases CVE: GHSA-hpr9-3m2g-3j9p Django vulnerable to SQL injection in column aliases (HIGH) Affected versions: >= 4.2 < 4.2.25; >= 5.1 < 5.1.13; >= 5.2 < 5.2.7 Patched version: 5.2.7 From: pyproject.toml → pypi/django@5.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows CVE: GHSA-qw25-v68c-qjf3 Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows (HIGH) Affected versions: >= 5.2a1 < 5.2.8; >= 5.0a1 < 5.1.14; < 4.2.26 Patched version: 5.2.8 From: pyproject.toml → pypi/django@5.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django has an SQL Injection issue CVE: GHSA-gvg8-93h5-g6qq Django has an SQL Injection issue (HIGH) Affected versions: >= 6.0a1 < 6.0.2; >= 5.2a1 < 5.2.11; >= 4.2a1 < 4.2.28 Patched version: 5.2.11 From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django has an SQL Injection issue CVE: GHSA-mwm9-4648-f68q Django has an SQL Injection issue (HIGH) Affected versions: >= 6.0a1 < 6.0.2; >= 5.2a1 < 5.2.11; >= 4.2a1 < 4.2.28 Patched version: 5.2.11 From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django vulnerable to Uncontrolled Resource Consumption CVE: GHSA-8p8v-wh79-9r56 Django vulnerable to Uncontrolled Resource Consumption (HIGH) Affected versions: >= 6.0 < 6.0.3; >= 5.2 < 5.2.12; >= 4.2 < 4.2.29 Patched version: 5.2.12 From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django vulnerable to ASGI header spoofing via underscore/hyphen conflation CVE: GHSA-mvfq-ggxm-9mc5 Django vulnerable to ASGI header spoofing via underscore/hyphen conflation (HIGH) Affected versions: >= 6.0 < 6.0.4; >= 5.2 < 5.2.13; >= 4.2 < 4.2.30 Patched version: 5.2.13 From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django: SGI requests with a missing or understated Content-Length header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit CVE: GHSA-933h-hp56-hf7m Django: SGI requests with a missing or understated Content-Length header could bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit (HIGH) Affected versions: >= 6.0 < 6.0.4; >= 5.2 < 5.2.13; >= 4.2 < 4.2.30 Patched version: 5.2.13 From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows CVE: GHSA-qw25-v68c-qjf3 Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows (HIGH) Affected versions: >= 5.2a1 < 5.2.8; >= 5.0a1 < 5.1.14; < 4.2.26 Patched version: 5.2.8 From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad load() allowlists in pypi `langchain-core` CVE: GHSA-pjwx-r37v-7724 LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad load() allowlists (HIGH) Affected versions: >= 1.0.0 < 1.3.3; < 0.3.85 Patched version: 1.3.3 From: pyproject.toml → pypi/langchain-core@1.2.22 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/langchain-core@1.2.22. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad load() allowlists in pypi `langchain-core` CVE: GHSA-pjwx-r37v-7724 LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad load() allowlists (HIGH) Affected versions: >= 1.0.0 < 1.3.3; < 0.3.85 Patched version: 1.3.3 From: examples/example-ai-langchain/uv.lock → pypi/langchain-core@1.2.23 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/langchain-core@1.2.23. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: pypi lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files CVE: GHSA-vfmq-68hx-4jfw lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files (HIGH) Affected versions: < 6.1.0 Patched version: 6.1.0 From: pyproject.toml → pypi/lxml@6.0.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/lxml@6.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Insufficiently Protected Credentials in Requests CVE: GHSA-x84v-xcm2-53pg Insufficiently Protected Credentials in Requests (HIGH) Affected versions: < 2.20.0 Patched version: 2.20.0 From: examples/example-ai-together-ai/uv.lock → pypi/requests@2.15.1 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/requests@2.15.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Wheel Affected by Arbitrary File Permission Modification via Path Traversal in pypi wheel unpack CVE: GHSA-8rrh-rw8j-w5fx Wheel Affected by Arbitrary File Permission Modification via Path Traversal in wheel unpack (HIGH) Affected versions: >= 0.40.0 < 0.46.2 Patched version: 0.46.2 From: pyproject.toml → pypi/wheel@0.45.1 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/wheel@0.45.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[github-actions]

posthog-python Compliance Report

Date: 2026-05-11 17:32:26 UTC
Duration: 4674315ms

⚠️ Some Tests Failed

29/45 tests passed, 16 failed

---

Capture Tests

✅ 29/29 tests passed

View Details

Test	Status	Duration
Format Validation.Event Has Required Fields	✅	515ms
Format Validation.Event Has Uuid	✅	1506ms
Format Validation.Event Has Lib Properties	✅	1505ms
Format Validation.Distinct Id Is String	✅	1505ms
Format Validation.Token Is Present	✅	1505ms
Format Validation.Custom Properties Preserved	✅	1504ms
Format Validation.Event Has Timestamp	✅	1505ms
Retry Behavior.Retries On 503	✅	9516ms
Retry Behavior.Does Not Retry On 400	✅	3504ms
Retry Behavior.Does Not Retry On 401	✅	3506ms
Retry Behavior.Respects Retry After Header	✅	9507ms
Retry Behavior.Implements Backoff	✅	23529ms
Retry Behavior.Retries On 500	✅	7501ms
Retry Behavior.Retries On 502	✅	7509ms
Retry Behavior.Retries On 504	✅	7509ms
Retry Behavior.Max Retries Respected	✅	23512ms
Deduplication.Generates Unique Uuids	✅	1505ms
Deduplication.Preserves Uuid On Retry	✅	7508ms
Deduplication.Preserves Uuid And Timestamp On Retry	✅	14521ms
Deduplication.Preserves Uuid And Timestamp On Batch Retry	✅	7506ms
Deduplication.No Duplicate Events In Batch	✅	1502ms
Deduplication.Different Events Have Different Uuids	✅	1505ms
Compression.Sends Gzip When Enabled	✅	1505ms
Batch Format.Uses Proper Batch Structure	✅	1504ms
Batch Format.Flush With No Events Sends Nothing	✅	1004ms
Batch Format.Multiple Events Batched Together	✅	1503ms
Error Handling.Does Not Retry On 403	✅	3507ms
Error Handling.Does Not Retry On 413	✅	3506ms
Error Handling.Retries On 408	✅	7510ms

Feature_Flags Tests

⚠️ 0/16 tests passed, 16 failed

View Details

Test	Status	Duration
Request Payload.Request With Person Properties Device Id	❌	503ms
Request Payload.Flags Request Uses V2 Query Param	❌	300303ms
Request Payload.Flags Request Hits Flags Path Not Decide	❌	301029ms
Request Payload.Flags Request Omits Authorization Header	❌	300987ms
Request Payload.Token In Flags Body Matches Init	❌	300993ms
Request Payload.Groups Round Trip	❌	300964ms
Request Payload.Groups Default To Empty Object	❌	301048ms
Request Payload.Person Properties Distinct Id Auto Populated When Caller Omits It	❌	301028ms
Request Payload.Disable Geoip False Propagates As Geoip Disable False	❌	300928ms
Request Payload.Disable Geoip Omitted Defaults To False	❌	301039ms
Request Payload.Flag Keys To Evaluate Contains Only Requested Key	❌	301013ms
Request Lifecycle.No Flags Request On Init Alone	❌	300997ms
Request Lifecycle.No Flags Request On Normal Capture	❌	300990ms
Request Lifecycle.Two Flag Calls Produce Two Remote Requests	❌	300999ms
Request Lifecycle.Mock Response Value Is Returned To Caller	❌	301034ms
Side Effect Events.Get Feature Flag Captures Feature Flag Called Event	❌	301000ms

Failures

request_payload.request_with_person_properties_device_id

Field 'token' not found in /flags request body at path 'token'. Available keys: ['distinct_id', 'groups', 'person_properties', 'group_properties', 'geoip_disable', 'device_id', 'flag_keys_to_evaluate', 'sentAt', 'api_key']

request_payload.flags_request_uses_v2_query_param

No error message

request_payload.flags_request_hits_flags_path_not_decide

No error message

request_payload.flags_request_omits_authorization_header

No error message

request_payload.token_in_flags_body_matches_init

No error message

request_payload.groups_round_trip

No error message

request_payload.groups_default_to_empty_object

No error message

request_payload.person_properties_distinct_id_auto_populated_when_caller_omits_it

No error message

request_payload.disable_geoip_false_propagates_as_geoip_disable_false

No error message

request_payload.disable_geoip_omitted_defaults_to_false

No error message

request_payload.flag_keys_to_evaluate_contains_only_requested_key

No error message

request_lifecycle.no_flags_request_on_init_alone

No error message

request_lifecycle.no_flags_request_on_normal_capture

No error message

request_lifecycle.two_flag_calls_produce_two_remote_requests

No error message

request_lifecycle.mock_response_value_is_returned_to_caller

No error message

side_effect_events.get_feature_flag_captures_feature_flag_called_event

No error message