From 12e889493ad6ccd75ed27a6170375d7e3e5f474f Mon Sep 17 00:00:00 2001
From: Max Isbey <224885523+maxisbey@users.noreply.github.com>
Date: Mon, 26 Jan 2026 13:58:42 +0000
Subject: [PATCH] fix: remove unused requests dependency from simple-chatbot
 example
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The simple-chatbot example declared requests>=2.31.0 as a dependency but
never imports or uses it — the code uses httpx (via the mcp dependency)
instead. This stale dependency pulled urllib3 into the lock file, which
triggered three high-severity Dependabot alerts (CVE-2025-66418,
CVE-2025-66471, CVE-2026-21441). None of these affect the SDK since it
uses httpx/httpcore, not urllib3.

Removing requests from the example eliminates urllib3 from the runtime
dependency tree. It remains in the lock file only via mkdocs-material
(a docs-only dev dependency).
---
 examples/clients/simple-chatbot/pyproject.toml | 1 -
 uv.lock                                        | 2 --
 2 files changed, 3 deletions(-)

diff --git a/examples/clients/simple-chatbot/pyproject.toml b/examples/clients/simple-chatbot/pyproject.toml
index 564b42df3..ce0724902 100644
--- a/examples/clients/simple-chatbot/pyproject.toml
+++ b/examples/clients/simple-chatbot/pyproject.toml
@@ -16,7 +16,6 @@ classifiers = [
 ]
 dependencies = [
     "python-dotenv>=1.0.0",
-    "requests>=2.31.0",
     "mcp",
     "uvicorn>=0.32.1",
 ]
diff --git a/uv.lock b/uv.lock
index 757709acd..e42301b67 100644
--- a/uv.lock
+++ b/uv.lock
@@ -1003,7 +1003,6 @@ source = { editable = "examples/clients/simple-chatbot" }
 dependencies = [
     { name = "mcp" },
     { name = "python-dotenv" },
-    { name = "requests" },
     { name = "uvicorn" },
 ]
 
@@ -1018,7 +1017,6 @@ dev = [
 requires-dist = [
     { name = "mcp", editable = "." },
     { name = "python-dotenv", specifier = ">=1.0.0" },
-    { name = "requests", specifier = ">=2.31.0" },
     { name = "uvicorn", specifier = ">=0.32.1" },
 ]