Closed bhaveshpatelh closed 3 years ago
@Chaffelson Since it's a moderate severity, please check this out.
Hey, sorry for the delay - v0.16.2 pushed today, please let me know if it doesn't do the job for you.
On Mon, Feb 8, 2021 at 3:12 PM Bhavesh Patel notifications@github.com wrote:
@Chaffelson https://github.com/Chaffelson Since it's a moderate severity, please check this out.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Chaffelson/nipyapi/issues/263#issuecomment-775217546, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACZAZOAQLLT46GG223BJAOTS575OTANCNFSM4XJFIZ5Q .
Thanks! This is resolved with the release v0.16.2
Description
Need to use the latest tag from pip, can you generate the latest tag, since the older lxml had CVEs. Seems like lxml has upgraded, but not generated the release tag https://github.com/Chaffelson/nipyapi/pull/252/files
What I Did
Using Dependabot, we got to know about this CVE, Bump lxml from 4.1.0 to 4.6.2 https://github.com/advisories/GHSA-pgww-xf46-h92r
Urgency
High, since we have started using this package and need to remove this CVE.