pipenv check safety fails with an unfixable error for plotly dash

pyupio / safety

Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.

https://safetycli.com/product/safety-cli

MIT License

1.66k stars 141 forks source link

Closed SmokinCaterpillar closed 2 years ago

SmokinCaterpillar commented 2 years ago

We use the newest dash library 1.21.0. However, if we run pipenv check --system it fails with the following error:

40962: dash <2.2.0 resolved (1.21.0 installed)!
Dash 2.2.0 includes a security fix.

Problem is there exists no PyPi package of Dash with version 2.2.0, 1.21.0 is the newest version. How to fix this? Thanks!

rhunwicks commented 2 years ago

Is the issue that the security fix required is in Plotly.js 2.2.0 or 2.2.1, which is bundled in Dash 1.21.0 - see https://github.com/plotly/dash/blob/dev/CHANGELOG.md#1210---2021-07-09?

SmokinCaterpillar commented 2 years ago

Ah okay, thanks, but then the error message Dash 2.2.0 includes a security fix. is quite misleading.

yeisonvargasf commented 2 years ago

Hi, thanks for comment about the misleading description of the vulnerability, @rhunwicks is right.

That vulnerability was updated in our database, so I will close this issue.