Commit 12e8894
committed
fix: remove unused requests dependency from simple-chatbot example
The simple-chatbot example declared requests>=2.31.0 as a dependency but
never imports or uses it — the code uses httpx (via the mcp dependency)
instead. This stale dependency pulled urllib3 into the lock file, which
triggered three high-severity Dependabot alerts (CVE-2025-66418,
CVE-2025-66471, CVE-2026-21441). None of these affect the SDK since it
uses httpx/httpcore, not urllib3.
Removing requests from the example eliminates urllib3 from the runtime
dependency tree. It remains in the lock file only via mkdocs-material
(a docs-only dev dependency).1 parent 3d9d345 commit 12e8894
2 files changed
+0
-3
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
16 | 16 | | |
17 | 17 | | |
18 | 18 | | |
19 | | - | |
20 | 19 | | |
21 | 20 | | |
22 | 21 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments