Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-PROTOBUF-15090738 - https://snyk.io/vuln/SNYK-PYTHON-ZIPP-7430899
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This is the final PR Bugbot will review for you during this billing cycle
Your free Bugbot reviews will reset on March 6
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| wheel>=0.38.0 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file | ||
| wheel>=0.38.0 # not directly required, pinned by Snyk to avoid a vulnerability | ||
| protobuf>=5.29.6 # not directly required, pinned by Snyk to avoid a vulnerability | ||
| zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file |
There was a problem hiding this comment.
Major protobuf upgrade may break pytorch-lightning TensorBoard logging
High Severity
The upgrade from protobuf 3.20.3 to >=5.29.6 introduces a major version jump that has documented compatibility issues with the existing pytorch-lightning==1.6.0rc0 dependency. This older pytorch-lightning version uses TensorBoard, which has known import failures when protobuf > 3.20 is installed. The project's launcher.py uses pl.loggers.TensorBoardLogger, so training will likely fail at import time with errors like TypeError or AttributeError in protobuf-related code paths.
| wheel>=0.38.0 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file | ||
| wheel>=0.38.0 # not directly required, pinned by Snyk to avoid a vulnerability | ||
| protobuf>=5.29.6 # not directly required, pinned by Snyk to avoid a vulnerability | ||
| zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability No newline at end of file |
There was a problem hiding this comment.
Zipp upgrade incompatible with project's Python 3.7 requirement
High Severity
The zipp>=3.19.1 requirement is incompatible with Python 3.7, which the project officially supports and documents in the README installation instructions. Starting from zipp 3.16.0, the package requires Python >= 3.8. Users following the documented setup (conda create -n "PyCaptcha" python=3.7) will encounter installation failures when pip attempts to resolve this dependency.
2 participants
Snyk has created this PR to fix 2 vulnerabilities in the pip dependencies of this project.
Snyk changed the following file(s):
requirements.txtImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
Note
Low Risk
Dependency-only changes; main risk is compatibility/regression from forcing newer
protobuf/zippversions during installs.Overview
Updates
requirements.txtto include explicit minimum versions for transitive dependenciesprotobuf(>=5.29.6) andzipp(>=3.19.1) to address reported Snyk vulnerabilities, and ensureswheelremains pinned (>=0.38.0).Written by Cursor Bugbot for commit f11e41a. This will update automatically on new commits. Configure here.