Setuptools CVE-2022-40897

locustio / locust

Write scalable load tests in plain Python 🚗💨

MIT License

24.17k stars 2.92k forks source link

Setuptools CVE-2022-40897 #2761

Open matthawley opened 3 weeks ago

matthawley commented 3 weeks ago

Prerequisites

[X] I am using the latest version of Locust
[X] I am reporting a bug, not asking a question

Description

Version 2.29.0 of locust still reports the usage of setuptools@65.5.0 which contains the vulnerability CVE-2022-40897. This has been fixed in version 65.5.1.

Command line

n/a

Locustfile contents

n/a

Python version

n/a

Locust version

2.29.0

Operating system

Linux

cyberw commented 3 weeks ago

Hi! What does this issue actually mean for a tool like locust?

matthawley commented 3 weeks ago

I don't know, tbh - I just know it's being flagged with the CVE listed as there is an available fix since Nov, 2022.

cyberw commented 3 weeks ago

Ok. A quick look seems to indicate this is not relevant for us, and we dont limit the maximum version so most people will end up using latest version anyway.

Maybe we could/should bump the minimum version but it isnt top prio and there’s an open PR doing lots of things with the build system so I’m not touching it now.