Skip to content

fix: bump web3 upper bound to allow security fix GHSA-5hr4-253g-cpx2#638

Open
Kubudak90 wants to merge 2 commits intocoinbase:mainfrom
Kubudak90:fix-web3-security-pin
Open

fix: bump web3 upper bound to allow security fix GHSA-5hr4-253g-cpx2#638
Kubudak90 wants to merge 2 commits intocoinbase:mainfrom
Kubudak90:fix-web3-security-pin

Conversation

@Kubudak90
Copy link
Copy Markdown

@Kubudak90 Kubudak90 commented Apr 5, 2026

Summary

Fixes #636

The web3 dependency pin (<=7.10.0) was blocking the security fix for SSRF via CCIP Read (GHSA-5hr4-253g-cpx2) which shipped in web3==7.15.0.

Changes

Updated the web3 constraint in python/pyproject.toml from:

web3>=7.6.0,<=7.10.0

to:

web3>=7.6.0,<8.0.0

This allows users to install the patched web3 version while maintaining compatibility with the existing API.

Security Impact

  • Resolves blocked security update for GHSA-5hr4-253g-cpx2
  • Users can now install web3>=7.15.0 which contains the SSRF fix
  • No breaking changes expected (web3 follows semver, <8.0.0 constraint ensures compatibility)

Testing

  • Verify package installs with web3==7.15.0
  • Run existing test suite to ensure compatibility

@cb-heimdall
Copy link
Copy Markdown

cb-heimdall commented Apr 5, 2026
edited
Loading

🟡 Heimdall Review Status

Requirement Status More Info
Reviews 🟡 0/1
Denominator calculation
Show calculation
1 if user is bot 0
1 if user is external 0
2 if repo is sensitive 0
From .codeflow.yml 1
Additional review requirements
Show calculation
Max 0
0
From CODEOWNERS 0
Global minimum 0
Max 1
1
1 if commit is unverified 1
Sum 2

fix: bump web3 upper bound to include security fix GHSA-5hr4-253g-cpx2
c36939e 
Bumps web3 dependency from <=7.10.0 to <=7.16.0 to include the fix for
CCIP Read SSRF vulnerability (GHSA-5hr4-253g-cpx2) which was patched in
web3==7.15.0.

Fixes coinbase#636
@Kubudak90 Kubudak90 force-pushed the fix-web3-security-pin branch from 509a775 to c36939e Compare April 6, 2026 02:50
fix: make nest_asyncio optional for Python 3.12+ compatibility
646c219 
nest_asyncio is incompatible with Python 3.12+ due to its patched asyncio.run()
not supporting the loop_factory parameter used by modern uvicorn.

Changes:
- Make nest_asyncio import and apply() optional with proper error handling
- Skip nest_asyncio for Python 3.12+ to avoid breaking loop_factory support
- Move nest-asyncio to optional dependencies
- Update _run_async() to handle both nested and non-nested loop scenarios

Fixes coinbase#591
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

web3<=7.10.0 pin blocks GHSA-5hr4-253g-cpx2 (SSRF via CCIP Read)

2 participants

@Kubudak90 @cb-heimdall