IBM/ibm-cos-sdk-python-core

urllib3 2.1.0 flagging CVE-2024-37891 - can't resolve bc ibm-cos-sdk-core has a pin to <2.2

Opened this issue · 2 comments

Info

Remediation for CVE-2024-37891 is in urllib3 2.2.2 but can't upgrade to that bc this repo pins urllib3 to under 2.2:

ibm-cos-sdk-core 2.13.5 requires urllib3<2.2,>=1.26.18; python_version >= "3.10", but you have urllib3 2.2.2 which is incompatible.

(python3.11 fwiw)

@bigpick - I'm so sorry for the delay in getting back to you. We will be releasing the fix by next week.

@bigpick Delivered the fixes in 2.13.6. Please verify and close the ticket. Thanks