3.0.2 Failing Safety Check - No Stable Upgrade Available

[CarolynWebster]

Looks like there are several safety warnings for daphne. 3.0.2 appears to be the last stable version, so there is no option in terms of upgrades.

safety report
checked 261 packages, using default DB
---
-> daphne, installed 3.0.2, affected <4.0.0b1, id 50814
-> daphne, installed 3.0.2, affected <4.0.0b1, id 50815
-> daphne, installed 3.0.2, affected <4.0.0b1, id 50816
-> daphne, installed 3.0.2, affected <4.0.0b1, id 50817
-> daphne, installed 3.0.2, affected <4.0.0b1, id 50818
-> daphne, installed 3.0.2, affected <4.0.0b1, id 50768

[adamchainz]

From the safety JSON file: https://raw.githubusercontent.com/pyupio/safety-db/master/data/insecure_full.json

"daphne": [
        {
            "advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
            "cve": "CVE-2022-21712",
            "id": "pyup.io-50814",
            "more_info_path": "/vulnerabilities/CVE-2022-21712/50814/",
            "specs": [
                "<4.0.0b1"
            ],
            "v": "<4.0.0b1"
        },
        {
            "advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
            "cve": "CVE-2020-10108",
            "id": "pyup.io-50815",
            "more_info_path": "/vulnerabilities/CVE-2020-10108/50815/",
            "specs": [
                "<4.0.0b1"
            ],
            "v": "<4.0.0b1"
        },
        {
            "advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
            "cve": "CVE-2020-10109",
            "id": "pyup.io-50816",
            "more_info_path": "/vulnerabilities/CVE-2020-10109/50816/",
            "specs": [
                "<4.0.0b1"
            ],
            "v": "<4.0.0b1"
        },
        {
            "advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
            "cve": "CVE-2019-12855",
            "id": "pyup.io-50817",
            "more_info_path": "/vulnerabilities/CVE-2019-12855/50817/",
            "specs": [
                "<4.0.0b1"
            ],
            "v": "<4.0.0b1"
        },
        {
            "advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
            "cve": "CVE-2019-12387",
            "id": "pyup.io-50818",
            "more_info_path": "/vulnerabilities/CVE-2019-12387/50818/",
            "specs": [
                "<4.0.0b1"
            ],
            "v": "<4.0.0b1"
        },
        {
            "advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
            "cve": "CVE-2022-24801",
            "id": "pyup.io-50768",
            "more_info_path": "/vulnerabilities/CVE-2022-24801/50768/",
            "specs": [
                "<4.0.0b1"
            ],
            "v": "<4.0.0b1"
        }
    ],

Links to pyup:

• https://pyup.io/vulnerabilities/CVE-2022-21712/50814/
• https://pyup.io/vulnerabilities/CVE-2020-10108/50815/
• https://pyup.io/vulnerabilities/CVE-2020-10109/50816/
• https://pyup.io/vulnerabilities/CVE-2019-12855/50817/
• https://pyup.io/vulnerabilities/CVE-2019-12387/50818/
• https://pyup.io/vulnerabilities/CVE-2022-24801/50768/

These all report on the same thing, that Daphne <4.0.0b1 doesn't require a secure version of twisted.

IMO these are "garbage" reports, you can use the new version of Twisted with Daphne 3.0.2. Daphne cannot be expected to release a new version with an updated minimum version pin, every time that Twisted releases a security fix.

I advise ignoring the checks (safety check --ignore=50814 ...), and reporting them as bad checks to PyUP.

[carltongibson]

Yes, thanks @adamchainz — I agree these are garbage. It makes Pyup's reviewed by experts look pretty weak TBH

The key point is the twisted dependency is a minimum if you pip install daphne you don't get an insecure version....

Successfully installed … daphne-3.0.2 … twisted-22.4.0 

So @CarolynWebster You can carry on (but please do report the issue to pyup)

...cannot be expected to release a new version with an updated minimum version pin...

It's a minimum needs at least this — if I declare Django>=3.2 it's not a security issue in my package because Django 3.2.15 was a security release. You just update Django.

[adamchainz]

Btw, my experience with safety has been only false positives. I've been using it at one client for about two years, because their security policy needed something in place. But IIRC the only alerts we've ever seen were false positives that needed muting, maybe 2-3 times.

I am considering switching to pip-audit, which has a community-driven database.