You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
$ cat requirements.txtsafety
$ snyk testTesting /Users/andrew...Tested 13 dependencies for known issues, found 1 issue, 1 vulnerable path.Issues to fix by upgrading dependencies: Pin idna@3.6 to idna@3.7 to fix ✗ Resource Exhaustion (new) [Medium Severity][https://security.snyk.io/vuln/SNYK-PYTHON-IDNA-6597975] in idna@3.6 introduced by safety@2.3.5 > requests@2.31.0 > idna@3.6Organization: mcandrePackage manager: pipTarget file: requirements.txtProject name: andrewOpen source: noProject path: /Users/andrewLicenses: enabledTip: Try `snyk fix` to address these issues.`snyk fix` is a new CLI command in that aims to automatically apply the recommended updates for supported ecosystems.See documentation on how to enable this beta feature: https://docs.snyk.io/snyk-cli/fix-vulnerabilities-from-the-cli/automatic-remediation-with-snyk-fix#enabling-snyk-fix
By the way, the requests library may be overkill. It's just a wrapper. One way to resolve the vulnerability is to drop that dependency and use the standard library directly.
The text was updated successfully, but these errors were encountered:
As a solution, you can pin idna, and yes, we will drop requests in a future minor release.
Safety makes the best effort to avoid pinning dependencies and prevent compatibility issues. Nevertheless, we will look to integrate suggested minimum constraints for dependencies or document them for users who want to enforce them.
The Snyk CLI reports vulnerabilities on the PyPI safety package.
https://snyk.io/
By the way, the requests library may be overkill. It's just a wrapper. One way to resolve the vulnerability is to drop that dependency and use the standard library directly.
The text was updated successfully, but these errors were encountered: