Pyup Safety check is flagging security vulnerabilities within commonmark 0.9.1

[MartinFalatic]

Pyup Safety (https://pyup.io/safety/) is flagging the following security vulnerabilities in commonmark (which blocks builds for those like us who use Safety as a build gate). The report appears to be referring to the spec version underlying commonmark itself.

safety report
checked  packages, using pyup.io's DB
---
-> commonmark, installed 0.9.1, affected <0.29.0, id 37115
Commonmark 0.29.0 requires cached-path-relative >= 1.0.2. This fixes a security vulnerability, but it's only in the dev dependencies.
--
-> commonmark, installed 0.9.1, affected <0.25.1, id 34313
Commonmark 0.25.1 fixes a dingus vulnerability.  Use an iframe and innerHTML to prevent `<script>` tags from executing. Dingus:  let preview show when query has `text=`.  Previously, these URLs opened the HTML pane first, but now that we have XSS protection (the iframe), it should be okay to open the preview pane first. * Dingus: don't print sourcepos attributes in HTML/AST view.
--

[MartinFalatic]

FYI, I've created a ticket with Safety as well (https://github.com/pyupio/safety-db/issues/2292) because it's not clear whether this is an issue with the Python version of commonmark or if it's being flagged incorrectly for an issue in the Javascript package of the same name.

Does commonmark end up using that Javascript package directly or indirectly?

[MartinFalatic]

Update: looks like this was a Safety DB problem and the issue is no longer being flagged.

If the issue reoccurs I will re-open this issue.