[Snyk] Security upgrade pyasn1 from 0.4.8 to 0.6.2

[q1blue]

Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

• requirements-ci.txt

⚠️ Warning

pyasn1-modules 0.2.8 has requirement pyasn1<0.5.0,>=0.4.6, but you have pyasn1 0.5.1.
flake8 4.0.1 has requirement importlib-metadata<4.3; python_version < "3.8", but you have importlib-metadata 6.7.0.
buildbot 4.3.0 requires autobahn, which is not installed.
buildbot 4.3.0 has requirement unidiff>=0.7.5, but you have unidiff 0.7.3.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling

---

Important

Upgrade pyasn1 to 0.6.2 in requirements-ci.txt to address security vulnerabilities, with potential compatibility warnings.

• Dependency Upgrade:
  • Upgrade pyasn1 from 0.4.8 to 0.6.2 in requirements-ci.txt to fix security vulnerabilities.
• Warnings:
  • Potential compatibility issues with pyasn1-modules and flake8 due to version constraints.
  • buildbot requires autobahn, which is not installed, and has a version mismatch with unidiff.

^{This description was created by for 8f382d4. You can customize this summary. It will automatically update as commits are pushed.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
buildbot	Error		Jan 21, 2026 8:28pm
csb-b6x6kw	Ready	Preview, Comment	Jan 21, 2026 8:28pm

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[changeset-bot]

⚠️ No Changeset found

Latest commit: 8f382d4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to 8f382d4 in 1 minute and 20 seconds. Click for details.

• Reviewed 13 lines of code in 1 files
• Skipped 0 files when reviewing.
• Skipped posting 1 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. requirements-ci.txt:70

• Draft comment:
  Upgrading pyasn1 to 0.6.2 may conflict with pyasn1-modules==0.2.8, which requires pyasn1 < 0.5.0. Please verify compatibility or consider updating pyasn1-modules as well.
• Reason this comment was not posted:
  Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 0% vs. threshold = 50% This comment is about dependency version compatibility. The rules explicitly state "Do NOT comment on dependency changes, library versions that you don't recognize, or anything else related to dependencies." This is a clear dependency version change. Additionally, the comment is speculative ("may conflict") and asks the author to verify compatibility, which violates the rule about not asking authors to confirm things. Even if the comment were technically correct about version incompatibility, it falls under the category of things I should not comment on. The PR author presumably tested this change, and if there's a real conflict, it would be caught during the build/test phase. Could there be a legitimate reason to flag dependency conflicts even though the rules say not to comment on dependencies? Perhaps if this would cause an immediate runtime failure that wouldn't be caught by tests, it might be worth keeping. Even if there's a real dependency conflict, the rules are explicit about not commenting on dependency changes. Additionally, dependency conflicts would typically be caught by pip during installation in CI, so this would be caught by the build process. The comment also uses speculative language ("may conflict") and asks for verification, both of which are red flags according to the rules. This comment should be deleted because it violates the rule against commenting on dependency changes. It's also speculative and asks the author to verify compatibility, which violates additional rules.

Workflow ID: wflow_64Nvyi1Se8I2v5cG

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}