search

pypa / gh-action-pip-audit

A GitHub Action for pip-audit
https://github.com/marketplace/actions/gh-action-pip-audit
Apache License 2.0
68 stars 12 forks source link

Requests<2.30.0 has a security issue #41

Closed Alexerson closed 1 year ago

Alexerson commented 1 year ago

Current behavior

The current action depends on requests<2.30, but this causes the following:

❯ pip-audit
| Collecting inputs
Found 1 known vulnerability in 1 package
Name     Version ID                  Fix Versions
-------- ------- ------------------- ------------
requests 2.29.0  GHSA-j8r2-6x86-q33q 2.31.0

My project depends on requests 2.31.0, this issue is with the pinned version in this codebase.

I believe the reason why we were holding on the requests 2.30.0 issue is now fixed, so we should relax this condition.

Expected behavior

I expected the action to not fail on its own.

Steps to reproduce

  1. Add pip-audit to an empty project
  2. Run it.

Relevant context

Nothing else needed.

woodruffw commented 1 year ago

Thanks for filing this!

I believe the reason why we were holding on the requests 2.30.0 issue is now fixed, so we should relax this condition.

Correct, although we need to bump the constraint on pip-audit to reflect that. I've left details on that in the PR you've opened.

woodruffw commented 1 year ago

Resolved with 1.0.8. Thanks again, @Alexerson!