Open davis-anthony opened 1 year ago
It doesn't look to me that future is maintained anymore. Here is the PR to fix it: https://github.com/PythonCharmers/python-future/pull/610.
One option that comes to mind for me would be:
I see that the patched version of future
was created as 0.18.3
We have been testing with it for several releases, but I will explicitly set it as a requirement in the next release.
Description
Vulnerability outlined in CVE-2022-40899. Unfortunately it looks like that project is dead and will likely not be updated. This will need to be dropped as a dependency and use of future refactored to some other component.
What I Did
Including the dependency for nipyapi 0.19.1 in my local project and running it through OWASP results in a failure due to the dependency on future 0.18.2. If I exclude this dependency, I get a build failure with a reference to this CVE:
https://nvd.nist.gov/vuln/detail/CVE-2022-40899
Urgency
This blocks our build pipelines and poses a security risk in our production environment.