You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
So now there's a security alert in mistune <= 2.0.2, but we continue to require mistune < 2.0.0. This only affects our docs build, so isn't important enough for a more involved fix. If the dependency chain ever resolves itself, we'll get a better fix for free.
The text was updated successfully, but these errors were encountered:
I've dismissed this dependabot alert Mistune v2.0.2 vulnerable to catastrophic backtracking · Dependabot alert #5 · microsoft/CCF (github.com). Documenting here for posterity, because apparently GitHub doesn't have a comment field on security alerts.
We use
sphinxcontrib.openapi
, which requires m2r
, which requires mistune
but doesn't actually work withmistune >= 2.0.0
.m2r
appears to be a dead repo with no plans to fix this incompatibility: AttributeError: module 'mistune' has no attribute 'BlockGrammar' in line 58 of m2r.py · Issue #66 · miyakogi/m2r (github.com)There's a few plausible forks, but none that have been taken by
sphinxcontrib.openapi
: m2r haven't been updated in years · Issue #123 · sphinx-contrib/openapi (github.com)So now there's a security alert in
mistune <= 2.0.2
, but we continue to requiremistune < 2.0.0
. This only affects our docs build, so isn't important enough for a more involved fix. If the dependency chain ever resolves itself, we'll get a better fix for free.The text was updated successfully, but these errors were encountered: