Known vulnerability in outdated pgx dependency, pgproto3-1.1.0

[VitruvianVice]

The latest version of pgtype, 1.12.0, relies on an outdated version of pgx, version 4.12. It uses the pgproto3 v1.1.0.

The latest stable pgx version is 4.17, with pgproto3 v2.3.1

The Sonatype OSS Index determines the former version of pgproto to contain a "medium" grave vulnerability due to unrestricted resource consumption.

This seems to be resolvable by upgrading pgx to a more recent version.

[jackc]

The Sonatype OSS Index determines the former version of pgproto to contain a "medium" grave vulnerability due to unrestricted resource consumption.

It's a false alarm. It appears the "Sonatype OSS Index" does not distinguish between test and non-test dependencies. pgtype only uses pgx in tests.

This seems to be resolvable by upgrading pgx to a more recent version.

If this vulnerability scanner has the same flaws as others it won't be satisfied. pgx depends on pgtype and pgtype's tests depend on pgx. This causes problems for scanners that naively follow the test dependency chain. See https://github.com/jackc/pgx/issues/1052 for more info.

[VitruvianVice]

I see. Looking closer at it I can confirm that you're absolutely right! Thank you for pointing that out! Also thanks for your work!

I'll close the issue!