The latest patch release of major version 1 does not have the security fix for CVE-2022-31116

[dgriff67]

From your release notes:

v2.4.4

Port https://github.com/ultrajson/ultrajson/pull/550 and https://github.com/ultrajson/ultrajson/pull/555 to fix incorrect handling of invalid surrogate pair characters (https://github.com/advisories/GHSA-wpqr-jcpx-745r)

However, the same fix for ultrajson does not seem to have been applied to the latest patch release major version 1. The version of SpaCy we have in our code base has srsly = ">=0.0.6,<1.1.0" and our security scan unveiled the vulnerability CVE-2022-31116.

Would it be possible to put through a major version 1 patch release including the security fix to address CVE-2022-31116?

Kind regards,

David Griffiths

[adrianeboyd]

Thanks for the note, this is a reasonable request. I think we'd want to backport #62, #66, and #67, plus CI changes from #90/#91/#92.

I can't make any promises about the timeline at this point -- I'll put it on our internal todo list but it may be a few weeks before we can come back to this.

[adrianeboyd]

This should be fixed in srsly v1.0.7. Please let us know if you run into any issues!

[dgriff67]

I scanned an image with 1.0.7 and the security alert went away - many thanks!