I'm submitting a request to fix a vulnerability in a dependency
For developers who use osv-scanner to detect vulnerabilities in open-source libraries and dependencies, a vulnerability is being detected in urrlib3, a dependency of detect-secrets. For CI/CD pipelines that prevent deployment if a vulnerability is detected, this is a blocker. We use detect-secrets in our CI/CD pipeline for example, and are blocked by this unless we actively ignore the vulnerability.
I'm submitting a request to fix a vulnerability in a dependency
For developers who use osv-scanner to detect vulnerabilities in open-source libraries and dependencies, a vulnerability is being detected in urrlib3, a dependency of detect-secrets. For CI/CD pipelines that prevent deployment if a vulnerability is detected, this is a blocker. We use detect-secrets in our CI/CD pipeline for example, and are blocked by this unless we actively ignore the vulnerability.
See a summary of the vulnerability here: https://osv.dev/vulnerability/GHSA-v845-jxx5-vc9f
Update urllib3 to v1.26.17 in requirements_dev.txt to eliminate the vulnerability.