Closed adriantorrie closed 2 years ago
Running safety checks in CI provides a false "affected" for http-gssapi of <0.6. There is no such release for that package. It looks they have changed their SEMVER convention January 2021, and restarted at 0.1, which is lower than the "affected".
http-gssapi
<0.6
0.1
+==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 73 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | httpx-gssapi | 0.1.2.pos | <0.6 | 39509 | +==============================================================================+ | Httpx-gssapi 0.6 includes a security patch for CVE-2014-8650. | +==============================================================================+
Screenshot of httpx-gssapi tags from here
httpx-gssapi
Hi @adriantorrie , thanks for reporting this, I confirm you this was solved.
Description
Running safety checks in CI provides a false "affected" for
http-gssapi
of<0.6
. There is no such release for that package. It looks they have changed their SEMVER convention January 2021, and restarted at0.1
, which is lower than the "affected".What I Did
Screenshot of
httpx-gssapi
tags from here