As far as I can tell, the outdated urllib3 and certifi might be coming from sentry-sdk.
$ poetry show certifi
name : certifi
version : 2021.5.30
description : Python package for providing Mozilla's CA Bundle.
required by
- httpx *
- requests >=2017.4.17
- sentry-sdk *
$ poetry show urllib3
name : urllib3
version : 1.26.6
description : HTTP library with thread-safe connection pooling, file post, and more.
required by
- requests >=1.21.1,<1.27
- sentry-sdk >=1.10.0
$ poetry show starlette
name : starlette
version : 0.20.4
description : The little ASGI library that shines.
dependencies
- anyio >=3.4.0,<5
- typing-extensions >=3.10.0
There are some CVEs that are being flagged by Mend.io
The dependencies should use these versions: urllib3 >=1.26.18 certifi >= 2023.7.22 starlette >= 0.27.0
urllib3 CVE - https://www.cve.org/CVERecord?id=CVE-2023-43804 certifi Vul - https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7 starlette Vul - https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px
As far as I can tell, the outdated
urllib3andcertifimight be coming fromsentry-sdk.