Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Security upgrade mistune from 0.8.4 to 2.0.3 #7142

Closed
wants to merge 1 commit into from

Conversation

snyk-bot
Copy link
Contributor

@snyk-bot snyk-bot commented Nov 4, 2022

Snyk has created this PR to fix one or more vulnerable packages in the `pip` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • doc/requirements.txt
⚠️ Warning
pyipv8 2.8.0 requires aiohttp-apispec, which is not installed.
pyipv8 2.8.0 requires aiohttp, which is not installed.

Vulnerabilities that will be fixed

By pinning:
Severity Priority Score (*) Issue Upgrade Breaking Change Exploit Maturity
medium severity 479/1000
Why? Has a fix available, CVSS 5.3
Regular Expression Denial of Service (ReDoS)
SNYK-PYTHON-MISTUNE-2940625
mistune:
0.8.4 -> 2.0.3
No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

The following vulnerabilities are fixed by pinning transitive dependencies:
- https://snyk.io/vuln/SNYK-PYTHON-MISTUNE-2940625
@snyk-bot snyk-bot requested review from a team and drew2a and removed request for a team November 4, 2022 10:39
@tribler-ci
Copy link
Contributor

Can one of the admins verify this patch?

Copy link
Contributor

@drew2a drew2a left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The documentation build has finished with the error:

  DEPRECATION: m2r is being installed using the legacy 'setup.py install' method, because it does not have a 'pyproject.toml' and the 'wheel' package is not installed. pip 23.1 will enforce this behaviour change. A possible replacement is to enable the '--use-pep517' option. Discussion can be found at https://github.com/pypa/pip/issues/8559
  Running setup.py install for m2r: started
  Running setup.py install for m2r: finished with status 'error'
  error: subprocess-exited-with-error
  
  × Running setup.py install for m2r did not run successfully.
  │ exit code: 1
  ╰─> [8 lines of output]
      Traceback (most recent call last):
        File "<string>", line 2, in <module>
        File "<pip-setuptools-caller>", line 34, in <module>
        File "/tmp/pip-install-1wa07k4s/m2r_dc27f769972b45c2972a278bc0607b96/setup.py", line 14, in <module>
          from m2r import parse_from_file
        File "/tmp/pip-install-1wa07k4s/m2r_dc27f769972b45c2972a278bc0607b96/m2r.py", line 59, in <module>
          class RestBlockGrammar(mistune.BlockGrammar):
      AttributeError: module 'mistune' has no attribute 'BlockGrammar'
      [end of output]
  
  note: This error originates from a subprocess, and is likely not a problem with pip.
error: legacy-install-failure

× Encountered error while trying to install package.
╰─> m2r

note: This is an issue with the package mentioned above, not pip.
hint: See above for output from the failure.

@kozlovsky
Copy link
Contributor

sphinxcontrib-openapi compatibility with mistune 2.0.x is not fixed yet, see #6624

@kozlovsky kozlovsky closed this Nov 8, 2022
@xoriole xoriole reopened this Nov 11, 2022
@drew2a drew2a force-pushed the main branch 5 times, most recently from d534eca to 4ea5f08 Compare November 21, 2022 13:47
@drew2a drew2a closed this Nov 30, 2022
@drew2a drew2a deleted the snyk-fix-bf4bdc5a12ff3119748ebdc2e21ba1d0 branch May 2, 2023 11:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

5 participants