Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid gitpyhon CVE-2022-24439 #1048

Merged
merged 1 commit into from Aug 17, 2023
Merged

Avoid gitpyhon CVE-2022-24439 #1048

merged 1 commit into from Aug 17, 2023

Conversation

carlosduelo
Copy link
Contributor

ericwb
ericwb approved these changes Aug 17, 2023
View reviewed changes
Copy link
Member

@ericwb ericwb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ericwb ericwb merged commit fb2f180 into PyCQA:main Aug 17, 2023
11 checks passed
@tvalenta tvalenta mentioned this pull request Aug 25, 2023
Closed
@mstandley-tempus
Copy link

hi @ericwb, when it's ready, can you please cut a new release that includes this commit?

@sigmavirus24
Copy link
Member

You don't need us to. You can control the version yourself to avoid the CVEs in that library

@msmeraglia
Copy link

how would we do that? the latest version available has the outdated module dependecy?

@sigmavirus24
Copy link
Member

Look at the version before this change. It allowed for the version to be greater or equal to 1.whatever just as this version does. That means any version (including non-vulnerable versions) is allowed that satisfy that requirement. So you can install whatever version you want that's great then the prior list bound without needing a release.

This is basic python dependency management

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericwb ericwb ericwb approved these changes

@lukehinds lukehinds Awaiting requested review from lukehinds lukehinds is a code owner

@sigmavirus24 sigmavirus24 Awaiting requested review from sigmavirus24 sigmavirus24 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@carlosduelo @mstandley-tempus @sigmavirus24 @msmeraglia @ericwb