[Snyk] Fix for 4 vulnerabilities

[sihrc]

Snyk has created this PR to fix 4 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

• requirements.txt

⚠️ Warning

ipywidgets 8.1.8 has requirement comm>=0.1.3, but you have comm 0.1.2.
ipywidgets 8.1.8 has requirement widgetsnbextension~=4.0.14, but you have widgetsnbextension 4.0.5.
indico-client 5.1.4 requires pandas, which is not installed.
indico-client 5.1.4 has requirement importlib-metadata~=1.0, but you have importlib-metadata 6.7.0.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.
• Snyk has automatically assigned this pull request, set who gets assigned.
• Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
👩‍💻 Set who automatically gets assigned
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal
🦉 Allocation of Resources Without Limits or Throttling

---

Note

Low Risk
Dependency-only changes: upgrades nltk and adds a minimum version pin for tornado, which could introduce minor runtime/compatibility differences but no application logic changes.

Overview
Updates requirements.txt to remediate reported vulnerabilities by upgrading nltk from 3.8.1 to 3.9.3 and adding an explicit tornado>=6.5.5 minimum-version pin (Snyk-driven).

^{Written by Cursor Bugbot for commit fe0abe0. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

nltk 3.9.3 requires Python 3.10+, may break builds

High Severity

Upgrading nltk from 3.8.1 to 3.9.3 raises the minimum Python version requirement from 3.7 to 3.10. The rest of the pinned dependencies (e.g., numpy==1.24.2, scipy==1.10.0, scikit-learn==1.2.1) are from early 2023 and compatible with Python 3.8/3.9, suggesting this project may run on a Python version below 3.10. If so, this upgrade will cause installation failures.

 

[cursor]

Tornado uses >= pinning unlike all other dependencies

Medium Severity

The new tornado>=6.5.5 entry uses an open-ended minimum version constraint, while every other dependency in the file uses exact == pinning. This breaks build reproducibility — a future tornado 7.x release could be installed automatically and potentially break the notebook==6.5.2/terminado==0.17.1/nbclassic==0.5.1 stack, which depends on tornado internals.