[Security] remove ujson package (CVE-2022-31116, CVE-2022-31117, CVE-2021-45958)

hyperledger / indy-plenum

Plenum Byzantine Fault Tolerant Protocol

https://wiki.hyperledger.org/display/indy

Apache License 2.0

215 stars 370 forks source link

[Security] remove ujson package (CVE-2022-31116, CVE-2022-31117, CVE-2021-45958) #1676

Open PatStLouis opened 3 months ago

PatStLouis commented 3 months ago

https://security.snyk.io/package/pip/ujson

WadeBarnes commented 3 months ago

@PatStLouis, Please rebase this PR now that your fix for the failed action has been merged. Thanks

crajapakshe commented 3 months ago

@PatStLouis Here is the some notes for remediation process.

PatStLouis commented 2 months ago

@crajapakshe pysha3 is a separate package, and we won't likely be able to update this package in a timely manner as there is some breaking changes introduced in >=1.0. Current installations use version 0.2.1.