yankov-sdx
commented
8 months ago cryptography==36.0.2 has CVE-2023-49083, CVE-2023-38325, and CVE-2023-23931 vulnerabilities reported.
Closed joshua-pgatour closed 8 months ago
yankov-sdx
commented
8 months ago cryptography==36.0.2 has CVE-2023-49083, CVE-2023-38325, and CVE-2023-23931 vulnerabilities reported.
sfc-gh-dszmolka
commented
8 months ago hi and thank you for raising this ! looks like coming not from snowflake-sqlalchemy but one of the dependencies, the Snowflake Python Connector.
we don't use cryptography v36 since Snowflake Python Connector v2.8.1, and the most current version of the PythonConnector depends on the latest v42 of cryptography:
# pip install snowflake-sqlalchemy pipdeptree
..gets installed
# pipdeptree -r -p cryptography
cryptography==42.0.5
├── pyOpenSSL==24.1.0 [requires: cryptography>=41.0.5,<43]
│ └── snowflake-connector-python==3.7.1 [requires: pyOpenSSL>=16.2.0,<25.0.0]
│ └── snowflake-sqlalchemy==1.5.1 [requires: snowflake-connector-python<4.0.0]
└── snowflake-connector-python==3.7.1 [requires: cryptography>=3.1.0,<43.0.0]
└── snowflake-sqlalchemy==1.5.1 [requires: snowflake-connector-python<4.0.0]this should be resolved once you upgrade your snowflake-connector-python dependency to a later one.
closing this issue but if you need further help, do comment and can reopen if necessary.
The cryptography library requirement of cryptography==36.0.2 is very outdated and causes issues when installed with other modern applications. The current version of cryptography is 42.0.5. This is a security issue also.