Skip to content

fix: remove unused requests dependency from simple-chatbot example#1958

Merged
maxisbey merged 1 commit intomainfrom
fix/remove-unused-requests-dep
Jan 26, 2026
Merged

fix: remove unused requests dependency from simple-chatbot example#1958
maxisbey merged 1 commit intomainfrom
fix/remove-unused-requests-dep

Conversation

@maxisbey
Copy link
Contributor

@maxisbey maxisbey commented Jan 26, 2026

Summary

The mcp-simple-chatbot example declared requests>=2.31.0 as a dependency but never imports or uses it — the code uses httpx (via the mcp dependency) instead. This stale dependency pulled urllib3 into the lock file, triggering three high-severity Dependabot alerts:

  • CVE-2025-66418 — unbounded decompression chain length (fixed in urllib3 2.6.0)
  • CVE-2025-66471 — streaming API decompression bomb (fixed in urllib3 2.6.0)
  • CVE-2026-21441 — decompression bomb bypass via redirects (fixed in urllib3 2.6.3)

Impact

None of these CVEs affect the SDK. The SDK uses httpx, which has its own HTTP stack (httpcoreh11) and does not depend on urllib3 at any point in its transitive dependency tree.

Changes

  • Removed unused requests>=2.31.0 from examples/clients/simple-chatbot/pyproject.toml
  • Regenerated uv.lockurllib3 remains only via mkdocs-material (docs-only dev dependency)

AI Disclaimer

@maxisbey
fix: remove unused requests dependency from simple-chatbot example
fbf2af5 
The simple-chatbot example declared requests>=2.31.0 as a dependency but
never imports or uses it — the code uses httpx (via the mcp dependency)
instead. This stale dependency pulled urllib3 into the lock file, which
triggered three high-severity Dependabot alerts (CVE-2025-66418,
CVE-2025-66471, CVE-2026-21441). None of these affect the SDK since it
uses httpx/httpcore, not urllib3.

Removing requests from the example eliminates urllib3 from the runtime
dependency tree. It remains in the lock file only via mkdocs-material
(a docs-only dev dependency).
@maxisbey maxisbey mentioned this pull request Jan 26, 2026
Merged
@maxisbey maxisbey enabled auto-merge (squash) January 26, 2026 13:59
@maxisbey maxisbey disabled auto-merge January 26, 2026 14:00
@claude
Copy link

claude bot commented Jan 26, 2026

Code review

Issue: CLAUDE.md violation in PR description

The PR description contains an AI disclaimer footer:

<sub>[AI Disclaimer](https://gist.github.com/maxisbey/6123d132484e4c533eab519a2800693d)</sub>

This violates the CLAUDE.md guidelines which state:

"NEVER ever mention a co-authored-by or similar aspects. In particular, never mention the tool used to create the commit message or PR."

See: https://github.com/modelcontextprotocol/python-sdk/blob/f179218ec34db59f4f7e61ae33c87e1b370f6ba5/CLAUDE.md#L55-L56

Recommendation: Please remove the AI disclaimer footer from the PR description.

Code changes: No issues found in the actual code changes. The dependency removal is correct.

@maxisbey maxisbey merged commit 1b5287c into main Jan 26, 2026
31 checks passed
@maxisbey maxisbey deleted the fix/remove-unused-requests-dep branch January 26, 2026 14:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@felixweinberger felixweinberger felixweinberger approved these changes

@Kludex Kludex Kludex approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@maxisbey @felixweinberger @Kludex