Markupsafe version 1.1.1 dependency on opencast causing security risks
rajeshkatkarnice opened this issue · 1 comments
Hello Team,
We use apache airflow in our projects and its deployed on our aws based infra by jenkins pipelines.
Our jenkins pipelines have blackduck scans enabled which scans the entire project with all transitive dependencies for security and licence risks.
Airflow versions (1.10.10 and 1.10.14) both uses markupsafe latest versions i.e. 1.1.1 and when we deploy airflow , markupsafe also get scanned by blackduck. We are getting security risks in version 1.1.1 , it shows it depends on opencast version 6.7 in below files , these are dynamically linked as dependencies.
markupsafe/__ pycache __ /
__ init__ .cpython-37.pyc
_compat.cpython-37.pyc
_constants.cpython-37.pyc
_native.cpython-37.pyc
Blackduck suggest to use opencast 9.2 version which does not have any risks.
Can you please check in case if markupsafe can be upgraded with latest opencast version.
MArkupsafe latest version should use opencast 9.2 version
Environment:
- Python version: 3.7
- MarkupSafe version: 1.1.1
We do not depend on opencast. Perhaps you meant to say opencast depends on us? As you say, your security scanner tells you to update opencast, not MarkupSafe.
When you opened this issue, you had the opportunity to select " Report a security vulnerability ", which would have directed you to email us privately about potential security issues. Please be sure to do that in the future if you believe you've identified a security issue in MarkupSafe.