Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependabot alert - Mistune v2.0.2 vulnerable to catastrophic backtracking #4087

Closed
eddyashton opened this issue Aug 1, 2022 · 0 comments
Closed

Comments

@eddyashton
Copy link
Member

I've dismissed this dependabot alert Mistune v2.0.2 vulnerable to catastrophic backtracking · Dependabot alert #5 · microsoft/CCF (github.com). Documenting here for posterity, because apparently GitHub doesn't have a comment field on security alerts.

We use ​sphinxcontrib.openapi​, which requires ​m2r​, which requires ​mistune​ but doesn't actually work with ​mistune​ >= 2.0.0. ​m2r​ appears to be a dead repo with no plans to fix this incompatibility: AttributeError: module 'mistune' has no attribute 'BlockGrammar' in line 58 of m2r.py · Issue #66 · miyakogi/m2r (github.com)

There's a few plausible forks, but none that have been taken by ​sphinxcontrib.openapi​: m2r haven't been updated in years · Issue #123 · sphinx-contrib/openapi (github.com)

So now there's a security alert in ​mistune <= 2.0.2​, but we continue to require mistune < 2.0.0. This only affects our docs build, so isn't important enough for a more involved fix. If the dependency chain ever resolves itself, we'll get a better fix for free.

@eddyashton eddyashton added bug and removed bug labels Aug 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant