Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Requests<2.30.0 has a security issue #41

Closed
Alexerson opened this issue May 23, 2023 · 2 comments
Closed

Requests<2.30.0 has a security issue #41

Alexerson opened this issue May 23, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@Alexerson
Copy link
Contributor

Current behavior

The current action depends on requests<2.30, but this causes the following:

❯ pip-audit
| Collecting inputs
Found 1 known vulnerability in 1 package
Name     Version ID                  Fix Versions
-------- ------- ------------------- ------------
requests 2.29.0  GHSA-j8r2-6x86-q33q 2.31.0

My project depends on requests 2.31.0, this issue is with the pinned version in this codebase.

I believe the reason why we were holding on the requests 2.30.0 issue is now fixed, so we should relax this condition.

Expected behavior

I expected the action to not fail on its own.

Steps to reproduce

  1. Add pip-audit to an empty project
  2. Run it.

Relevant context

Nothing else needed.

@Alexerson Alexerson added the bug Something isn't working label May 23, 2023
@woodruffw
Copy link
Member

Thanks for filing this!

I believe the reason why we were holding on the requests 2.30.0 issue is now fixed, so we should relax this condition.

Correct, although we need to bump the constraint on pip-audit to reflect that. I've left details on that in the PR you've opened.

@woodruffw
Copy link
Member

Resolved with 1.0.8. Thanks again, @Alexerson!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants