pipenv check safety fails with an unfixable error for plotly dash

Question

SmokinCaterpillar opened this issue 3 years ago · 3 comments

We use the newest dash library 1.21.0. However, if we run pipenv check --system it fails with the following error:

40962: dash <2.2.0 resolved (1.21.0 installed)!
Dash 2.2.0 includes a security fix.

Problem is there exists no PyPi package of Dash with version 2.2.0, 1.21.0 is the newest version. How to fix this? Thanks!

Answer 1 · 2021-08-09T15:20:31.000Z

Is the issue that the security fix required is in Plotly.js 2.2.0 or 2.2.1, which is bundled in Dash 1.21.0 - see https://github.com/plotly/dash/blob/dev/CHANGELOG.md#1210---2021-07-09?

Answer 2 · 2021-08-18T06:29:54.000Z

Ah okay, thanks, but then the error message Dash 2.2.0 includes a security fix. is quite misleading.

Answer 3 · 2021-11-02T22:01:21.000Z

Hi, thanks for comment about the misleading description of the vulnerability, @rhunwicks is right.

That vulnerability was updated in our database, so I will close this issue.