search

sonatype-nexus-community / jake

Check your Python environments for vulnerable Open Source packages with OSS Index or Sonatype Nexus Lifecycle.
https://jake.readthedocs.io/
Apache License 2.0
111 stars 24 forks source link

[FEATURE] update rich dependency #127

Open bollwyvl opened 1 year ago

bollwyvl commented 1 year ago

Use jake without installing packages with known (even if disputed) CVEs such as CVE-2022-40899

e.g. running jake on its own environment

Consider updating the rich pin to ^13.2.0, which replaces commonmark (and therefore future) with markdown-it-py, rather than having multiple potential markdown parser engines for a given jake release.

cc @bhamail / @DarthHater

madpah commented 1 year ago

Great idea @bollwyvl - but this does depend on jake deprecating support for Python 3.6 (which I also support).

maarre commented 1 year ago

This old version of rich also limits twine to 3.x.x. twine is in version 4.0.2.

rxm7706 commented 10 months ago

Running into the same issue with an environment with airflow - minimum version of rich required is. rich = ">=12.0,<14.0"