update `aiohttp` minimum dependency version to 3.8.0
irangareddy opened this issue · 1 comments
irangareddy commented
Describe the bug
Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection
AFFECTED VERSIONS: <3.8.0
FIXED VERSIONS: 3.8.0
more about the vulnerability: https://pyup.io/vulnerabilities/PVE-2021-42692/42692/
To Reproduce
On any poetry python project, do following commands
clone https://github.com/eccenca/cmem-plugin-graphql
- cd cmem-plugin-graphql
- git checkout feature/mutationSupport-ECC-5299
- task poetry:install
- task check:safety
Expected behavior
on poetry run safety check
all safety checks should pass.
System info:
- OS: macOS 13.1
- Python version: Python 3.9.6
- gql version:
gql 3.4.0 GraphQL client for Python
├── aiohttp >=3.7.1,<3.9.0 - graphql-core version: graphql-core >=3.2,<3.3
leszekhanusz commented
I cannot see the vulnerability as I don't have a pyup.io account and it is impossible to register with a gmail email address...
But I suspect that the vulnerability concerns only the server part of aiohttp and not the client so that is probably not a problem for gql.