search

dotenv-org / python-dotenv-vault

Load environment variables from encrypted .env.vault files
https://www.dotenv.org/docs/languages/python
MIT License
28 stars 9 forks source link

cryptography<41.0.3 includes vulnerable OpenSSL version #19

Closed mnbf9rca closed 11 months ago

mnbf9rca commented 1 year ago

see Vulnerable OpenSSL included in cryptography wheels and pyca/cryptography's wheels include vulnerable OpenSSL

python-dotenv-vault depends on cryptography<41.0.0,>=3.1.0 which prevents package managers resolving a higher version e.g.:

(venv) @mnbf9rca ➜ /workspace (chore/update_deps) $ poetry add cryptography@>=41.0.3

Because python-dotenv-vault (0.6.3) depends on cryptography (>=3.1.0,<41.0.0)
 and no versions of python-dotenv-vault match >0.6.3,<0.7.0, python-dotenv-vault (>=0.6.3,<0.7.0) requires cryptography (>=3.1.0,<41.0.0).
So, because mqtt-to-eventhub depends on both python-dotenv-vault (^0.6.3) and cryptography (^41.0.3), version solving failed.
mnbf9rca commented 11 months ago

additional High severity CVE-2023-38325 which would require cryptography>41.0.2 to resolve