{
"advisory": "The Requests package through 2.19.1 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.",
"cve": "CVE-2018-18074",
"id": "pyup.io-36546",
"specs": [
"<=2.19.1"
],
"v": "<=2.19.1"
},
I grepped for vendor/requests in brave-core and only found the following reference outside of the vendor/requests/ and vendor/depot_tools/ directories:
Our vendored version of Python Requests (2.7.0) is very old (from 2015).
The SafetyDB warns about the following security vulnerability CVE-2018-18074:
which was fixed in 2.20.0 in 2018.
Additionally, the upstream repo has moved to https://github.com/psf/requests.
I grepped for
vendor/requests
inbrave-core
and only found the following reference outside of thevendor/requests/
andvendor/depot_tools/
directories:In other words, it doesn't look like it's used by anything.