[BUG] Security vulnerability - requests v 2.31.0 (https://www.cvedetails.com/cve/CVE-2024-35195/)

awslabs / seed-farmer

Seed-Farmer is an orchestration tool that works with AWS CodeSeeder and acts as an orchestration tool modeled after GitOps deployments. It has a CommandLine Interface based in Python, leverages modular code deployments defined by declarative manifests, and includes change detection and deployment optimization.

https://seed-farmer.readthedocs.io/en/latest/

Apache License 2.0

43 stars 15 forks source link

[BUG] Security vulnerability - requests v 2.31.0 (https://www.cvedetails.com/cve/CVE-2024-35195/) #592

Closed 3sztof closed 1 month ago

3sztof commented 1 month ago

Describe the bug Seedfarmer has a locked dependency on requests module version (currently requires 2.31.0). This version of requests contains a vulnerability that is picked up by pip-audit (https://www.cvedetails.com/cve/CVE-2024-35195/).

Expected behavior Requests version should be patched to the newest one ASAP to prevent blocking deployments that rely on Seedfarmer.

3sztof commented 1 month ago

Dependabot PR: https://github.com/awslabs/seed-farmer/pull/591

3sztof commented 1 month ago

Opening this as a bug, as it has a huge impact on our environments, all of the deployments are failing due to pip-audit issues.

dgraeber commented 1 month ago

This is addressed in 3.5.1 and on main