Requests<2.30.0 has a security issue #41

Alexerson · 2023-05-23T18:00:14Z

Current behavior

The current action depends on requests<2.30, but this causes the following:

❯ pip-audit
| Collecting inputs
Found 1 known vulnerability in 1 package
Name     Version ID                  Fix Versions
-------- ------- ------------------- ------------
requests 2.29.0  GHSA-j8r2-6x86-q33q 2.31.0

My project depends on requests 2.31.0, this issue is with the pinned version in this codebase.

I believe the reason why we were holding on the requests 2.30.0 issue is now fixed, so we should relax this condition.

Expected behavior

I expected the action to not fail on its own.

Steps to reproduce

Add pip-audit to an empty project
Run it.

Relevant context

Nothing else needed.

The text was updated successfully, but these errors were encountered:

woodruffw · 2023-05-23T19:07:45Z

Thanks for filing this!

I believe the reason why we were holding on the requests 2.30.0 issue is now fixed, so we should relax this condition.

Correct, although we need to bump the constraint on pip-audit to reflect that. I've left details on that in the PR you've opened.

woodruffw · 2023-05-23T19:18:31Z

Resolved with 1.0.8. Thanks again, @Alexerson!

Alexerson added the bug Something isn't working label May 23, 2023

Alexerson mentioned this issue May 23, 2023

Remove pin on requests (fixes #41) #42

Merged

woodruffw closed this as completed in cf52d21 May 23, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Requests<2.30.0 has a security issue #41

Requests<2.30.0 has a security issue #41

Alexerson commented May 23, 2023

woodruffw commented May 23, 2023

woodruffw commented May 23, 2023

Requests<2.30.0 has a security issue #41

Requests<2.30.0 has a security issue #41

Comments

Alexerson commented May 23, 2023

Current behavior

Expected behavior

Steps to reproduce

Relevant context

woodruffw commented May 23, 2023

woodruffw commented May 23, 2023