Werkzeug 1.0.* fails Safety check
AndrewEckart opened this issue · 0 comments
AndrewEckart commented
Recently, Werkzeug 1.* has been flagged for vulnerabilities by Safety. This is causing our GitHub Actions workflows to fail:
+==============================================================================+
| |
| /$$$$$$ /$$ |
| /$$__ $$ | $$ |
| /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ |
| /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ |
| | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ |
| \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ |
| /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ |
| |_______/ \_______/|__/ \_______/ \___/ \____ $$ |
| /$$ | $$ |
| | $$$$$$/ |
| by pyup.io \______/ |
| |
+==============================================================================+
| REPORT |
| checked 85 packages, using free DB (updated once a month) |
+============================+===========+==========================+==========+
| package | installed | affected | ID |
+============================+===========+==========================+==========+
| werkzeug | 1.0.1 | <2.0.2 | 42050 |
+==============================================================================+
Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='UTF-8'>
BrokenPipeError: [Errno 32] Broken pipe
Error: Process completed with exit code 255.
The vulnerability is as follows:
{
"advisory": "Werkzeug version 2.0.2 improves the security of the debugger cookies. \"SameSite\" attribute is set to \"Strict\" instead of \"None\", and the secure flag is added when on HTTPS.",
"cve": "PVE-2021-42050",
"id": "pyup.io-42050",
"specs": [
"<2.0.2"
],
"v": "<2.0.2"
},We need to either migrate to Flask/Werkzeug 2.0 (a substantial project), or add an exception for this in our pipeline.