[Snyk] Fix for 6 vulnerabilities

[ashmuck]

Snyk has created this PR to fix 6 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

• requirements.txt

⚠️ Warning

ipywidgets 8.1.8 has requirement comm>=0.1.3, but you have comm 0.1.2.
ipywidgets 8.1.8 has requirement widgetsnbextension~=4.0.14, but you have widgetsnbextension 4.0.5.
indico-client 5.1.4 requires pandas, which is not installed.
indico-client 5.1.4 has requirement requests==2.22.0, but you have requests 2.31.0.
indico-client 5.1.4 has requirement importlib-metadata~=1.0, but you have importlib-metadata 6.7.0.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Snyk has automatically assigned this pull request, set who gets assigned.
• Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
👩‍💻 Set who automatically gets assigned
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)
🦉 Missing Authentication for Critical Function
🦉 Directory Traversal
🦉 More lessons are available in Snyk Learn

---

Note

Medium Risk
Upgrades foundational libraries (requests and nltk) to newer major/minor versions; while the change is isolated to dependency pins, it can affect runtime behavior and compatibility of HTTP and NLP-related code paths.

Overview
Updates requirements.txt to remediate reported vulnerabilities by bumping nltk from 3.8.1 to 3.9.4 and requests from 2.22.0 to 2.33.0.

^{Written by Cursor Bugbot for commit 0528646. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 3 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Pinned urllib3 version incompatible with upgraded requests

High Severity

Upgrading requests to 2.33.0 without updating urllib3 breaks dependency resolution. requests==2.33.0 requires urllib3>=1.26,<3, but urllib3==1.25.11 is still pinned in the file. This will cause pip installation to fail or produce an inconsistent environment.

Additional Locations (1)

• requirements.txt#L112-L113

 

[cursor]

Pinned certifi version incompatible with upgraded requests

High Severity

requests==2.33.0 requires certifi>=2023.5.7, but certifi==2022.12.7 is pinned in the file. This dependency conflict will prevent successful installation or create an environment that violates requests' stated requirements.

Additional Locations (1)

• requirements.txt#L12-L13

 

[cursor]

indico-client exact pin on requests==2.22.0 now broken

High Severity

indico-client==5.1.4 has an exact pin requiring requests==2.22.0. The previous requirements.txt satisfied this by pinning requests==2.22.0, but this change upgrades it to 2.33.0, breaking compatibility with indico-client — a package actively used in the project (e.g., apply_labels.py). This will cause installation failures or runtime issues.

Additional Locations (1)

• requirements.txt#L33-L34