safety depends on vulnerable dparse version
okuuva opened this issue · 1 comments
okuuva commented
- safety version: latest
- Python version: 3.9
- Operating System: Linux
Description
Today our CI job running safety warned us about a new known vulnerability:
+==============================================================================+
| |
| /$$$$$$ /$$ |
| /$$__ $$ | $$ |
| /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ |
| /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ |
| | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ |
| \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ |
| /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ |
| |_______/ \_______/|__/ \_______/ \___/ \____ $$ |
| /$$ | $$ |
| | $$$$$$/ |
| by pyup.io \______/ |
| |
+==============================================================================+
| REPORT |
| checked 184 packages, using free DB (updated once a month) |
+============================+===========+==========================+==========+
| package | installed | affected | ID |
+============================+===========+==========================+==========+
| dparse | 0.5.1 | <0.5.2 | 50571 |
+==============================================================================+
| Dparse 0.5.2 fixes a possible ReDoS vulnerability. |
| https://github.com/pyupio/dparse/commit/8c990170bbd6c0cf212f1151e90254865560 |
| 62d5 |
+==============================================================================+
Did some digging and turns out it's safety that pins the version to >=0.5.1. With a quick search in this repo it still seems to be affecting develop
branch. Didn't check if it's really relevant but it's a bit awkward for sure.
yeisonvargasf commented
Thanks for the report @okuuva! The new release of Safety updates that dependency. Also, note that the dparse vulnerability doesn't affect Safety because Safety doesn't use the affected function; however, another external dependency might be using the affected version of Dparse, so the recommendation is to update to the latest Safety version.