Closed astellingwerf closed 4 months ago
Hi there @nateprewitt! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.
This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory
Hi @astellingwerf both 2.32.0 and 2.32.1 are valid releases for the CVE patch. They're both available for use on GitHub and PyPI if needed. Yanking a release on PyPI just instructs pip
and other package management tools to prefer a different installation if the user doesn't explicitly ask for it. I'm not sure what's in the Security Advisory currently is inaccurate.
Thanks for your response, @nateprewitt. I proposed this change because of https://github.com/renovatebot/renovate/discussions/29280. Renovate will (with OSV alerts enabled) only update to the exact version that is declared as the fix version, but it also refuses to update to yanked/deprecated versions.
I'd imagine it makes little sense to suggest users to update to a yanked version, and the change would allow Renovate to update to a valid version with the fix for this security vulnerability.
Hi @astellingwerf, as @nateprewitt pointed out, version 2.32.0 contains the patch and the fix commit is tagged with version 2.32.0. I'm not accepting the contribution because changing the patched version to 2.32.2 would result in readers of the advisory receiving less accurate information, including thousands of users receiving alerts that say their software is vulnerable when it is not vulnerable. The difficulty you describe at https://github.com/renovatebot/renovate/discussions/29280 sounds frustrating, but difficulty with another org's tooling can't lead me to compromising on data accuracy.
Thank you for your interest in GHSA-9wx4-h78v-vm56 and have a great week.
Updates
Comments https://pypi.org/project/requests/#history shows the fixed version as yanked.