Closed JoseAmaral436 closed 3 weeks ago
False positive for several reasons:
requests
2.31.0
was the latest release for a full year (and couldn't be exploited).requests.Session(verify=False)
, which isn't used.All current versions of requests after 2.31.0
are currently in worse shape: (2.32.3
is the current latest)
2.32.0
: Yanked: Conflicts with CVE-2024-35195 mitigation: https://pypi.org/project/requests/#history2.32.1
: Yanked: Conflicts with CVE-2024-35195 mitigation: https://pypi.org/project/requests/#history2.32.2
: https://github.com/psf/requests/issues/67152.32.3
: https://github.com/psf/requests/issues/6726Hoping for a newer version of requests
soon that fixes that. Currently 2.31.0
is the best version to have.
Your vulnerability scanning tool (Snyk) has a major vulnerability in that it can recommend upgrading to a newer release of a Python library that is in worse shape than an earlier version. I recommend remediation. GitHub's own security tools are currently quite good for that: https://docs.github.com/en/code-security
Hello team,
Snyk has reported a vulnerability with requests==2.31.0 that is fixed in requests>=2.32
![image](https://github.com/seleniumbase/SeleniumBase/assets/11180689/661a5053-1a9a-4118-ba13-bc28d75fb2f6)
Is it possible to upgrade this requirement?
Thanks in advance, José Amaral