Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE's in connexion #1516

Closed
pilatcen opened this issue Apr 23, 2022 · 3 comments · Fixed by #1619
Closed

CVE's in connexion #1516

pilatcen opened this issue Apr 23, 2022 · 3 comments · Fixed by #1619

Comments

@pilatcen
Copy link

Twistlock found these CVE's in the latest connexion package 2.13.0:

twistlock

https://nvd.nist.gov/vuln/detail/CVE-2019-17495
GHSA-cr3q-pqgq-m8c2
GHSA-qrmm-w75w-3wpx
GHSA-388g-jwpg-x6j4
GHSA-4f9m-pxwh-68hg
GHSA-cr3q-pqgq-m8c2
GHSA-qrmm-w75w-3wpx

Can you please update this package in order to fix these issues?

@RobbeSneyders
Copy link
Member

These are all related to our dependency swagger-ui-bundle and need to be fixed there.

@hughlunnon
Copy link

@RobbeSneyders it looks like swagger-ui-bundle has been abandoned. I don't think there's a need for the bundle as swagger-ui 3 supports OAS2.x specification as well - is it possible to change the dependency just to include swagger-ui (not the abandoned bundle)?

RobbeSneyders added a commit that referenced this issue Jan 9, 2023
Fixes #1412
Fixes #1516 

Since [swagger-ui-bundle](https://github.com/dtkav/swagger_ui_bundle) is
no longer maintained, I forked it under the spec-first organization as
[py-swagger-ui](https://github.com/spec-first/py-swagger-ui). This PR
updates connexion to use it instead.
@enicklas
Copy link

enicklas commented Jan 9, 2023

Awesome, thanks a lot! Do you already have an estimate when this might be released?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants