bump gitpython because of CVE-2023-40267

philipclaesson commented 1 year ago

Gitpython has a vulnerability where it does not block insecure non-multi options in clone and clone_from. This popped up in our vulnerability scanner, so I thought it suggest to bump it.

https://avd.aquasec.com/nvd/2023/cve-2023-40267/

I have a hard time seeing it should pose a real security issue for OPAL users, but who knows. At the very least, it's nice to not get any critical vulnerability reports in vulnerability scanners.

The minor version bump suggest it should be an easy one. Complete changelog here: https://github.com/gitpython-developers/GitPython/compare/3.1.27...3.1.32

Check List (Check all the applicable boxes)

[x] I sign off on contributing this submission to open-source
[ ] ~My code follows the code style of this project.~
[ ] ~My change requires changes to the documentation.~
[ ] ~I have updated the documentation accordingly.~
[ ] All new and existing tests passed.
[x] This PR does not contain plagiarized content.
[x] The title of my pull request is a short description of the requested changes.

Note to reviewers

I am not sure exactly how to test this further than the automated tests. Let me know if you want further action from my side.

I did not get the tests running on my local machine - would need approval on the test run: https://github.com/permitio/opal/actions/runs/5956379336

netlify[bot] commented 1 year ago

Deploy Preview for opal-docs canceled.

Name	Link
Latest commit	aca303aadb760681308bc08497d10a0691bd49f3
Latest deploy log	https://app.netlify.com/sites/opal-docs/deploys/64e67291df922b00082c4c80

orweis commented 1 year ago

Thanks @philipclaesson ! :) @asafc / @roekatz what do you think ?

permitio / opal