jmrivas86/django-json-widget

Security vulnerability in the `future` dependency

Closed this issue · 5 comments

romanek-adam-b2c2 commented
  • django-json-widget version: 1.1.1
  • Django version: 3.2
  • Python version: 3.10
  • Operating System: Ubuntu

Description

This library depends on the future package which is not maintained, but contains a high-severity vulnerability: GHSA-v3c5-jqr6-7qm8

Please drop the dependency on this package if possible.

whardeman commented

Agreed. Makes these others all the more relevant...

#65
#72

Otherwise, I'll be forced to fork this repo until there are more folks who can keep it up to date.

ashokdelphia commented

I agree that stopping using future is worthwhile (see #65), but I don't think that vulnerability is reachable in practice from how it is used here. The troublesome regular expression is in the cookie-handling part of the library, which I believe isn't invoked at all here.

I think it's worth dropping as part of no longer supporting very old versions of Django and Python, as that will typically involve using libraries that are practically unmaintained.

whardeman commented

@ashokdelphia Thank you for your insight on this! I hadn't looked deeply until now and I agree, it's not a showstopper here.

Most folks are probably (like me) just seeing security vulnerability warnings and scrambling to keep their dependencies clean. In our case, future was only used by two dependencies (the other having already dropped it in a recent release, so just needed to upgrade).

Still hopeful that @jmrivas86 can add a few more folks to help maintain this. It's a good one!

kennell commented

@jmrivas86 Can we get this merged please?