search

DataDog / datadog-lambda-python

The Datadog AWS Lambda Layer for Python
https://docs.datadoghq.com/integrations/amazon_lambda/#installing-and-using-the-datadog-layer
Apache License 2.0
88 stars 46 forks source link

urllib3 vulnerability GHSA-34jh-p97f-mpxf #508

Closed Cookiehook closed 3 months ago

Cookiehook commented 4 months ago

A vulnerability has been found and patched in urllib3: https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf Datadog-lambda has an explicit pin of version <2.1.0 urllib3: https://github.com/DataDog/datadog-lambda-python/blob/main/pyproject.toml#L34

This is preventing us from remediating the vulnerability in our applications, as poetry cannot resolve to install datadog-lambda-python and urllib3 2.2.2.

Could you please update your dependencies to allow the security patch in urllib3 2.2.2 to be included in the installation?

Specifications

astuyve commented 4 months ago

Hi @Cookiehook - thanks for the note! We had made this pin because of botocore as per the pr. If this has been fixed upstream, we can remove the restriction entirely.

Cookiehook commented 4 months ago

Hi @astuyve , From what I can see, the restriction in botocore has been lifted in March this year:

I won't pretend to understand the details of the datadog-lambda-python package or your testing procedures, but this looks to me like you can un-pin and re-test and this should work.

astuyve commented 3 months ago

Hi @Cookiehook - this is now released in v6.98.

Best!