[Snyk] Fix for 22 vulnerabilities

[robertatakenaka]

Snyk has created this PR to fix 22 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

• requirements/base.txt

⚠️ Warning

flower 2.0.1 requires tornado, which is not installed.
django-rosetta 0.10.1 has requirement Django>=4.2, but you have Django 3.2.25.
django-prometheus 2.4.1 has requirement Django<6.0,>=4.2, but you have Django 3.2.25.
celery 5.3.0 requires kombu, which is not installed.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling
🦉 Improper Output Neutralization for Logs
🦉 SQL Injection
🦉 More lessons are available in Snyk Learn

[Copilot]

Pull request overview

This Snyk PR aims to fix 22 security vulnerabilities (20 in Django and 2 in sqlparse) by upgrading Django from 3.2.25 to 4.2.27 and sqlparse from 0.4.4 to 0.5.4. However, there's a critical discrepancy: the actual changes only add a sqlparse version constraint, while the codebase already shows Django 5.2.7 installed (not 3.2.25 as the PR description suggests).

Changes:

• Adds sqlparse>=0.5.4 constraint to fix 2 vulnerabilities
• No Django upgrade is included despite PR claiming to fix 20 Django vulnerabilities

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The PR description includes warnings about dependency incompatibilities that this change may introduce:

• "flower 2.0.1 requires tornado, which is not installed"
• "django-rosetta 0.10.1 has requirement Django>=4.2, but you have Django 3.2.25"
• "django-prometheus 2.4.1 has requirement Django<6.0,>=4.2, but you have Django 3.2.25"
• "celery 5.3.0 requires kombu, which is not installed"

While the warnings reference Django 3.2.25 (suggesting the analysis may be outdated since the file shows Django 5.2.7), the missing dependencies (tornado and kombu) could cause runtime issues. Please verify that:

1. All required transitive dependencies are properly installed
2. The dependency warnings are accurate for the current state of the project
3. The project will function correctly after this change

[Copilot]

The PR description states this change upgrades Django from 3.2.25 to 4.2.27 to fix 22 vulnerabilities (20 in Django, 2 in sqlparse). However, the actual diff only adds a sqlparse version constraint and does not include any Django upgrade. The requirements file currently shows Django 5.2.7 at line 19, which contradicts the PR description's claim of upgrading from Django 3.2.25.

This discrepancy suggests either:

1. The PR description is incorrect or outdated
2. The Django upgrade was already applied separately
3. There's a mismatch between what Snyk detected and the actual codebase state

Please verify that the correct changes are being made and update either the PR description or the changes accordingly.