Security vulnerability in the `future` dependency
Closed this issue · 5 comments
- django-json-widget version: 1.1.1
- Django version: 3.2
- Python version: 3.10
- Operating System: Ubuntu
Description
This library depends on the future
package which is not maintained, but contains a high-severity vulnerability: GHSA-v3c5-jqr6-7qm8
Please drop the dependency on this package if possible.
I agree that stopping using future
is worthwhile (see #65), but I don't think that vulnerability is reachable in practice from how it is used here. The troublesome regular expression is in the cookie-handling part of the library, which I believe isn't invoked at all here.
I think it's worth dropping as part of no longer supporting very old versions of Django and Python, as that will typically involve using libraries that are practically unmaintained.
@ashokdelphia Thank you for your insight on this! I hadn't looked deeply until now and I agree, it's not a showstopper here.
Most folks are probably (like me) just seeing security vulnerability warnings and scrambling to keep their dependencies clean. In our case, future was only used by two dependencies (the other having already dropped it in a recent release, so just needed to upgrade).
Still hopeful that @jmrivas86 can add a few more folks to help maintain this. It's a good one!
@jmrivas86 Can we get this merged please?
Fixed in pifantastic#1