Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump idna to >= 3.7 #848

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump idna to >= 3.7 #848

wants to merge 1 commit into from

Conversation

dannf
Copy link

@dannf dannf commented Jan 14, 2025

Remove risk of installing 3.6 which is vulnerable to:
https://github.com/advisories/GHSA-jjg7-2v4v-x

@dannf
Bump idna to >= 3.7
5ef1d5b 
Remove risk of installing 3.6 which is vulnerable to:
  https://github.com/advisories/GHSA-jjg7-2v4v-x

Signed-off-by: dann frazier <[email protected]>
@github-actions GitHub Actions
Copy link

No linked issues found. Please add the corresponding issues in the pull request description.
Use GitHub automation to close the issue when a PR is merged

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

dannf added a commit to dannf/os that referenced this pull request Jan 14, 2025
@dannf
py3-cassandra-medusa: drop idna version override
ed0b587 
We bumped idna to 3.7 in commit aebb92a, for upstream
version 0.20.1 to "fix CVE". I'm guessing this was to fix:
  GHSA-jjg7-2v4v-x38h

Upstream pins idna at >= 3.6, but I've verified that we get
3.7 anyway. Avoid the upstream override so that we can
inherit dependency changes from upstream without manual
intervention.

I've asked upstream to bump their pin to 3.7 for the sake
of correctness:
  thelastpickle/cassandra-medusa#848

Signed-off-by: dann frazier <[email protected]>
dannf added a commit to dannf/os that referenced this pull request Jan 14, 2025
@dannf
py3-cassandra-medusa: drop idna version override
16385a0 
We bumped idna to 3.7 in commit aebb92a, for upstream
version 0.20.1 to "fix CVE". I'm guessing this was to fix:
  GHSA-jjg7-2v4v-x38h

Upstream pins idna at >= 3.6, but I've verified that we get
3.7 anyway. Avoid the upstream override so that we can
inherit dependency changes from upstream without manual
intervention.

I've asked upstream to bump their pin to 3.7 for the sake
of correctness:
  thelastpickle/cassandra-medusa#848

Signed-off-by: dann frazier <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@dannf