Snyk has created this PR to upgrade snyk from 1.438.0 to 1.459.0.
:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 30 versions ahead of your current version.
The recommended version was released a day ago, on 2021-02-22.
Bumps the python plugin to include the following fixes for poetry:
Stop parser from trying to look up packages not propagated to the lockfile (wheel, distributed, pip, setuptools)
Stop parser from failing when failing to locate dependency in lockfile and instead log a warning. This could be because of python requirements allowing it in the manifest but not actually installing it and adding a lockfile entry or because of how Poetry treats the use of underscores and hyphens when installing packages
Reversed PR that introduced swapping underscores in manifest for hyphens in lockfile. This was due to a misunderstanding of how Poetry worked and is remediated by the above.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Snyk has created this PR to upgrade snyk from 1.438.0 to 1.459.0.
The recommended version fixes:
SNYK-JS-LODASH-1040724
Why? Proof of Concept exploit, Recently disclosed, CVSS 7.2
SNYK-JS-LODASH-1018905
Why? Proof of Concept exploit, Recently disclosed, CVSS 7.2
(*) Note that the real score may have changed since the PR was raised.
Release notes
Package name: snyk
1.459.0 (2021-02-22)
Bug Fixes
1.458.0 (2021-02-19)
Features
1.457.0 (2021-02-18)
Features
1.456.0 (2021-02-17)
Features
1.455.0 (2021-02-15)
Features
Fixes
Includes fix to consider hyphens and underscores to be equivalent in package name comparisons in Poetry
Release Notes pending
Bumps the python plugin to include the following fixes for poetry:
Commit messages
Package name: snyk
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:![](https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiI1Nzc5YTVjYi05YWVlLTQ0ZDUtYjI1Ni0wMzVkOTFkMDk4MDkiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjU3NzlhNWNiLTlhZWUtNDRkNS1iMjU2LTAzNWQ5MWQwOTgwOSJ9fQ==)
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs