Skip to content

[Snyk] Security upgrade ujson from 5.4.0 to 5.12.0#36

Open
jhamot wants to merge 1 commit into
mainfrom
snyk-fix-680bbc35cf9726db82174d1f702eeb08
Open

[Snyk] Security upgrade ujson from 5.4.0 to 5.12.0#36
jhamot wants to merge 1 commit into
mainfrom
snyk-fix-680bbc35cf9726db82174d1f702eeb08

Conversation

@jhamot

@jhamot jhamot commented Mar 18, 2026

Copy link
Copy Markdown
Owner

snyk-top-banner

Snyk has created this PR to fix 2 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

  • examples/server/sanic/requirements.txt
⚠️ Warning 
sanic 20.12.7 requires ujson, which is not installed.
sanic 20.12.7 has requirement httptools>=0.0.10, but you have httptools 0.0.9.
sanic 20.12.7 has requirement aiofiles>=0.6.0, but you have aiofiles 0.3.0.
httpcore 0.11.1 has requirement h11<0.10,>=0.8, but you have h11 0.14.0.

Breaking Change Risk

Merge Risk: Medium

Notice: This assessment is enhanced by AI.

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Integer Overflow or Wraparound
🦉 Missing Release of Memory after Effective Lifetime

@jhamot

jhamot commented Mar 18, 2026

Copy link
Copy Markdown
Owner Author

Merge Risk: Medium

This upgrade of ujson contains a behavioral breaking change and a general warning from the maintainers.

Breaking Change:

  • The toDict() method will now raise a TypeError if it returns a non-dictionary value. Previously, it would silently convert the value to null. Applications relying on the old behavior will need to be updated to handle the new exception.

General Advisory:

  • The ujson library is in a maintenance-only mode. The maintainers warn that its architecture is prone to security vulnerabilities and strongly encourage users to migrate to the orjson library, which is reported to be faster and more secure.

Recommendation:

  • Verify any usage of toDict() to ensure it correctly handles the new TypeError for non-dictionary return values.
  • Consider creating a plan to migrate from ujson to orjson to avoid future security risks and benefit from better performance.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jhamot @snyk-bot