Skip to content

Update NLTK to 3.9.1 to address security vulnerability #2960

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 24, 2025
Merged

Update NLTK to 3.9.1 to address security vulnerability #2960

merged 1 commit into from
Jun 24, 2025

Conversation

skord
Copy link
Member

@skord skord commented Jun 23, 2025
edited by jgraettinger
Loading

Resolves nltk/nltk#3266 - remote code execution vulnerability in NLTK versions < 3.9.1. This addresses a high-severity dependabot alert by explicitly pinning NLTK to ^3.9.1 in both estuary-cdk and source-qualtrics dependencies.

🤖 Generated with Claude Code

This change is Reviewable

@skord @claude
Update NLTK to 3.9.1 to address security vulnerability
06fed9c 
Resolves nltk/nltk#3266 - remote code execution
vulnerability in NLTK versions < 3.9.1. This addresses a high-severity
dependabot alert by explicitly pinning NLTK to ^3.9.1 in both
estuary-cdk and source-qualtrics dependencies.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@skord skord requested a review from a team June 23, 2025 20:44
@skord skord self-assigned this Jun 23, 2025
@skord skord added Security Security Related change:unplanned Unplanned change, useful for things like doc updates labels Jun 23, 2025
Alex-Bair
Alex-Bair approved these changes Jun 24, 2025
View reviewed changes
Copy link
Member

@Alex-Bair Alex-Bair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM % does nltk also need bumped in source-brevo?

@skord
Copy link
Member Author

skord commented Jun 24, 2025

Weird and good catch @Alex-Bair, Dependabot did not get triggered for this but I've updated it and pushed.

@skord skord requested a review from Alex-Bair June 24, 2025 13:41
@Alex-Bair
Copy link
Member

source-brevo's poetry.lock needs updated so the build will succeed & tests can pass. You should be able to do something like poetry lock --no-update or just poetry lock in the source-brevo directory, and that should take care of it.

@skord skord force-pushed the mdanko/update-ntlk-versions branch from 11ada2b to 06fed9c Compare June 24, 2025 14:02
@skord
Copy link
Member Author

skord commented Jun 24, 2025

There is a circular dependency with estuary-cdk. I am trying to get this through the door to resolve dependabot issues. Do I need to bump the estuary-cdk version if updating it's dependencies?

@Alex-Bair
Copy link
Member

I don't think bumping the estuary-cdk version will fix that. I'll look into it & figure out what needs to happen. Resolving dependencies for imported connectors like source-brevo can be a pain.

Alex-Bair
Alex-Bair approved these changes Jun 24, 2025
View reviewed changes
Copy link
Member

@Alex-Bair Alex-Bair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Updating source-brevo is more complicated due to messy dependencies. I'll work on a PR to update that one soon.

@skord skord merged commit 02282f8 into main Jun 24, 2025
194 of 204 checks passed
@skord skord deleted the mdanko/update-ntlk-versions branch June 24, 2025 15:21
@Alex-Bair Alex-Bair mentioned this pull request Jun 24, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Alex-Bair Alex-Bair Alex-Bair approved these changes

Assignees

@skord skord

Labels
change:unplanned Unplanned change, useful for things like doc updates Security Security Related
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remote code execution vulnerability in NLTK
2 participants
@skord @Alex-Bair