pyupio/safety

CVE's

Opened this issue · 2 comments

mcandre commented

The Snyk CLI reports vulnerabilities on the PyPI safety package.

https://snyk.io/

$ cat requirements.txt
safety

$ snyk test

Testing /Users/andrew...

Tested 13 dependencies for known issues, found 1 issue, 1 vulnerable path.


Issues to fix by upgrading dependencies:

  Pin idna@3.6 to idna@3.7 to fix
  ✗ Resource Exhaustion (new) [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-IDNA-6597975] in idna@3.6
    introduced by safety@2.3.5 > requests@2.31.0 > idna@3.6



Organization:      mcandre
Package manager:   pip
Target file:       requirements.txt
Project name:      andrew
Open source:       no
Project path:      /Users/andrew
Licenses:          enabled

Tip: Try `snyk fix` to address these issues.`snyk fix` is a new CLI command in that aims to automatically apply the recommended updates for supported ecosystems.
See documentation on how to enable this beta feature: https://docs.snyk.io/snyk-cli/fix-vulnerabilities-from-the-cli/automatic-remediation-with-snyk-fix#enabling-snyk-fix

By the way, the requests library may be overkill. It's just a wrapper. One way to resolve the vulnerability is to drop that dependency and use the standard library directly.

yeisonvargasf commented

Thanks, @mcandre, for this report.

As a solution, you can pin idna, and yes, we will drop requests in a future minor release.

Safety makes the best effort to avoid pinning dependencies and prevent compatibility issues. Nevertheless, we will look to integrate suggested minimum constraints for dependencies or document them for users who want to enforce them.

mcandre commented

Hi, it's been a month.

When can we expect this security enhancement to be released?