search

oracle / oci-python-sdk

Oracle Cloud Infrastructure SDK for Python
https://cloud.oracle.com/cloud-infrastructure
Other
386 stars 277 forks source link

There is a vulnerability in Sphinx:1.8.3,upgrade recommended #503

Open QiAnXinCodeSafe opened 1 year ago

QiAnXinCodeSafe commented 1 year ago

https://github.com/oracle/oci-python-sdk/blob/108e7c55196d7fd56da71ec62c40ee4cf5b0ddb7/requirements.txt#L14

CVE-2020-11022 CVE-2020-11023

Recommended upgrade version:1.8.6

Swarn10 commented 1 year ago

@QiAnXinCodeSafe Thank you for posting this issue. We are currently looking into it. We will post here once the fix is in place.

Swarn10 commented 1 year ago

We are not planning to upgrade sphinx at this moment and we also believe that this vulnerability is unlikely to affect our customers. This appears to be a dev only dependency, so doesn't affect end users. For developers of the SDK, it only comes in to play if they generate docs, which they likely should not need to do since we handle doc generation / publishing, and that the input to the SDK docs is trusted, as it comes from Oracle developers, and any change goes through code review by at least one other Oracle developer, before merging.