Skip to content

Remove unclaimed 'warnings' package from requirements.txt (security fix)#1000

Merged
nelish01 merged 2 commits into
mainfrom
remove-warnings-from-reqs
Oct 13, 2025
Merged

Remove unclaimed 'warnings' package from requirements.txt (security fix)#1000
nelish01 merged 2 commits into
mainfrom
remove-warnings-from-reqs

Conversation

@nelish01

Copy link
Copy Markdown
Contributor

This PR removes the line warnings>=0.1.0 from requirements.txt in the end-to-end-use-cases/NotebookLlama directory.

Context

  • The warning package does not exist on PyPI, making it possible for a malicious actor to claim the package and upload harmful code.

  • This issue was reported via Meta's Bug Bounty program (internal report link).

  • The codebase only uses Python's built-in warnings module, which does not require installation via pip.

Mitigation
Removed the unclaimed warnings package from requirements.txt.
Verified that all usages of import warnings in the codebase refer to the standard library module.
No changes to code files were necessary.

Impact
This change mitigates a potential supply chain security risk (remote code execution) by ensuring that pip will not attempt to install a non-existent or malicious package.
End users will continue to have access to the standard warnings module as part of Python.

@meta-cla meta-cla Bot added the cla signed label Oct 10, 2025
@nelish01
nelish01 requested a review from init27 October 10, 2025 05:33

@IgorKasianenko IgorKasianenko left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LG

@IgorKasianenko IgorKasianenko self-assigned this Oct 10, 2025
@nelish01
nelish01 merged commit f07f234 into main Oct 13, 2025
3 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants