lxml has a vulnerability but we can not update because of python3-saml relies on <4.7.1

[brugnara]

Hi all.

As I mentioned in the subject of the issue, what I wanted to achieve is to update lxml to the first safe version which is the 4.9.1 but Poetry slams the door telling me I can not do it, and with valid reasons:

 SolverProblemError

  Because python3-saml (1.14.0) depends on lxml (<4.7.1)
   and no versions of python3-saml match >1.14.0,<1.15.0, python3-saml (>=1.14.0,<1.15.0) requires lxml (<4.7.1).
  So, because atoka-revenge depends on both lxml (^4.9.1) and python3-saml (~1.14.0), version solving failed.

Security output.

| lxml    | CVE-2022-2309    |          | 4.7.0             | 4.9.1         | lxml: NULL Pointer                    |
|         |                  |          |                   |               | Dereference in lxml                   |
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-2309  |

Am I missing something or do somebody have a suggestion on this, pretty please?

Thank you for considering my request.

[koleror]

Hi! Any news on this topic? Any chance the PR could be merged?

[mapapuche]

Hello, same problem :/

[thechad12]

Hi - can you please merge this PR? We are facing this issue too.

[aquatix]

We would also really appreciate it if this PR can be merged/issue can be fixed. Running a vulnerable lxml in production does not sit well :)

[MatthijsvW]

Yes please, same here!