Address review: cap requests at <3 and dedupe Snyk pin in base.txt

JSv4 · JSv4 · commit 523436038915 · 2026-04-27T23:36:02.000-05:00
- requests pin in base.txt is now &gt;=2.33.1,&lt;3 to keep major version 2.x as policy until we explicitly opt in to a 3.x release
- Removed duplicate Snyk requests pin still at &gt;=2.32.2 (line 86) — base.txt's primary pin already covers it and the Snyk constraint was lower than the security-driven floor
- local.txt and production.txt updated to match the &lt;3 cap
diff --git a/requirements/base.txt b/requirements/base.txt
@@ -10,7 +10,7 @@ pyjwt==2.12.1  # https://github.com/jpadilla/pyjwt
 cryptography==47.0.0  # https://github.com/pyca/cryptography
 pydantic==2.*
 typing-extensions==4.*  # https://github.com/python/typing_extensions
-requests>=2.33.1  # https://requests.readthedocs.io/en/latest/
+requests>=2.33.1,<3  # https://requests.readthedocs.io/en/latest/
 httpx>=0.27.0,<1  # https://github.com/encode/httpx - async HTTP for agent tools
 tokenizers>=0.21,<0.23  # Pin to prevent conflicts with transformers
 
@@ -83,7 +83,6 @@ mcp>=1.27.0  # https://github.com/anthropics/python-sdk
 # ------------------------------------------------------------------------------
 twisted>=24.7.0rc1 # not directly required, pinned by Snyk to avoid a vulnerability
 ipython>=9.13.0 # not directly required, pinned by Snyk to avoid a vulnerability
-requests>=2.32.2 # not directly required, pinned by Snyk to avoid a vulnerability
 setuptools>=70.0.0 # not directly required, pinned by Snyk to avoid a vulnerability
 sqlparse>=0.5.0 # not directly required, pinned by Snyk to avoid a vulnerability
 tornado>=6.5.5 # not directly required, pinned by Snyk to avoid a vulnerability
diff --git a/requirements/local.txt b/requirements/local.txt
@@ -54,7 +54,7 @@ python-pptx
 django==5.2.13  # https://www.djangoproject.com/
 twisted>=25.5.0 # not directly required, pinned by Snyk to avoid a vulnerability
 ipython>=9.13.0 # not directly required, pinned by Snyk to avoid a vulnerability
-requests>=2.33.1 # not directly required, pinned by Snyk to avoid a vulnerability
+requests>=2.33.1,<3 # not directly required, pinned by Snyk to avoid a vulnerability
 setuptools>=70.0.0 # not directly required, pinned by Snyk to avoid a vulnerability
 sqlparse>=0.5.0 # not directly required, pinned by Snyk to avoid a vulnerability
 tornado>=6.5.5 # not directly required, pinned by Snyk to avoid a vulnerability
diff --git a/requirements/production.txt b/requirements/production.txt
@@ -20,7 +20,7 @@ google-auth==2.49.2
 django==5.2.13  # https://www.djangoproject.com/
 twisted>=25.5.0 # not directly required, pinned by Snyk to avoid a vulnerability
 ipython>=9.13.0 # not directly required, pinned by Snyk to avoid a vulnerability
-requests>=2.33.1 # not directly required, pinned by Snyk to avoid a vulnerability
+requests>=2.33.1,<3 # not directly required, pinned by Snyk to avoid a vulnerability
 setuptools>=70.0.0 # not directly required, pinned by Snyk to avoid a vulnerability
 sqlparse>=0.5.0 # not directly required, pinned by Snyk to avoid a vulnerability
 tornado>=6.5.5 # not directly required, pinned by Snyk to avoid a vulnerability
