https://prefect.io logo
Join Slack
Powered by
Hi <@ULVA73B9P> I am using prefect-dbt = {extras =...
# marvin-ai
i
Hi @Marvin I am using prefect-dbt = {extras = ["snowflake"], version = "^0.7.8"} version but the lock include deepdiff dependency less that 8.6.1 what can I do? as the dependency is vulnerable
m
thought for 169.7 seconds
Thanks for raising this — security updates are important. Short answer - Neither Prefect core nor prefect-dbt (including the snowflake extra) directly depends on 
deepdiff
. It’s coming from another transitive dependency in your environment. - Prefect 3.x and prefect-dbt 0.7.8 are compatible with 
deepdiff >= 8.6.1
. Pinning/overriding 
deepdiff
to 8.6.1+ is safe in practice unless another package explicitly caps it lower. To help you fix it, could you confirm which tool you’re using to manage deps (Poetry, pip-tools, uv, plain pip)? The snippet you shared looks like Poetry; if so, try the steps below. If you’re using Poetry 1) Identify who brings 
deepdiff
in:
Copy code
poetry why deepdiff
poetry show --tree
2) Try a direct override/pin to the fixed version:
Copy code
poetry add deepdiff@^8.6.1
poetry update deepdiff
- If this succeeds, you’re done. - If Poetry reports a conflict (e.g., “X requires deepdiff<8.6.1”), you’ll need to upgrade that parent package X to a version that allows 8.6.1+, or remove X if it’s unused. 3) If you build containers with pip at runtime, you can also enforce via constraints: - Add a constraints file (constraints.txt):
Copy code
deepdiff>=8.6.1
- Install with constraints:
Copy code
pip install -r requirements.txt -c constraints.txt
(or, if you use uv for builds: 
uv pip install -r requirements.txt -c constraints.txt
) If you’re using pip (no Poetry) - Find the source of the dep:
Copy code
pip install pipdeptree
pipdeptree -r -p deepdiff
- Force the upgrade:
Copy code
pip install "deepdiff>=8.6.1" --upgrade
- If pip fails due to a cap, upgrade the package that pins 
deepdiff
lower (the 
pipdeptree
output will name it). If you’re using uv for project management - Add a direct dependency in your pyproject:
Copy code
[tool.poetry.dependencies]
deepdiff = ">=8.6.1"
- Then re-lock/update with your usual uv workflow (e.g., 
uv lock
/ 
uv pip install -r requirements.txt
), or use a constraints file as above. Next step If you paste the output of: - 
poetry why deepdiff
(or 
pipdeptree -r -p deepdiff
) I can point you to the exact transitive package to upgrade and a compatible version, if needed. References - Prefect + dbt integration docs: Prefect-dbt docs - prefect-dbt repository: PrefectHQ/prefect-dbt
Open in Slack
PreviousNext
Powered by