Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion requirements/base.txt
Original file line number Diff line number Diff line change
Expand Up @@ -101,4 +101,5 @@ wagtail-json-widget==0.0.9 # https://pypi.org/project/wagtail-json-widget/
# Citation export (CSL / BibTeX via citeproc-py)
# ------------------------------------------------------------------------------
citeproc-py==0.9.0 # https://pypi.org/project/citeproc-py/
citeproc-py-styles==0.1.5 # https://pypi.org/project/citeproc-py-styles/ (bibtex.csl, etc.)
citeproc-py-styles==0.1.5 # https://pypi.org/project/citeproc-py-styles/ (bibtex.csl, etc.)
lxml>=6.1.0 # not directly required, pinned by Snyk to avoid a vulnerability

Copilot AI Apr 23, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

requirements/base.txt consistently pins dependencies with == (likely for reproducible installs), but this adds lxml>=6.1.0, which can pull in unexpected future major/minor releases. Consider pinning to lxml==6.1.0 (or at least bounding it, e.g. <7) to match the rest of this file’s versioning approach.

Suggested change
lxml>=6.1.0 # not directly required, pinned by Snyk to avoid a vulnerability
lxml==6.1.0 # not directly required, pinned by Snyk to avoid a vulnerability

Copilot uses AI. Check for mistakes.

Copilot AI Apr 23, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The inline note says lxml is "not directly required", but the codebase imports lxml directly (e.g., harvest/parse_info_oai_pmh.py and harvest/tests.py). Updating the comment to reflect it’s a direct dependency (and/or clarifying why it’s listed explicitly) will avoid confusion during dependency audits.

Suggested change
lxml>=6.1.0 # not directly required, pinned by Snyk to avoid a vulnerability
lxml>=6.1.0 # direct dependency; explicitly constrained to avoid a vulnerability

Copilot uses AI. Check for mistakes.