Dependency with "vulnerable" version of py #2524
Labels
bug:normal
affects many people or has quite an impact
Comments
juanitosvq
changed the title
|
tox does not uses the part of the lib that has the vulnabirity so I think this is invalid for us. |
|
tox 4 does not uses py, 😊 and we have no plans to remove it from tox 3. tox 4 will be released eventually some time next year, hopefully. |
Right, but unfortunately tools like |
Closed
TeoZosa
added a commit
to TeoZosa/cookiecutter-cruft-poetry-tox-pre-commit-ci-cd
that referenced
this issue
Nov 21, 2022
Used by tox: ``` ❯ poetry show py name : py version : 1.11.0 description : library with cross-python path, ini-parsing, io, code, log facilities required by - tox >=1.4.17 ``` But tox does not use the affected part of the library - ref: tox-dev/tox#2524 (comment)
TeoZosa
added a commit
to TeoZosa/cookiecutter-cruft-poetry-tox-pre-commit-ci-cd
that referenced
this issue
Nov 21, 2022
Used by tox: ``` ❯ poetry show py name : py version : 1.11.0 description : library with cross-python path, ini-parsing, io, code, log facilities required by - tox >=1.4.17 ``` But tox does not use the affected part of the library - ref: tox-dev/tox#2524 (comment)
Cielquan
added a commit
to rstcheck/rstcheck-core
that referenced
this issue
Nov 29, 2022
the py lib which has the issue is used by tox 3 but tox does not use the part of the lib which is affected tox-dev/tox#2524 pytest was updated to 7.2 prior to remove py lib
Cielquan
added a commit
to rstcheck/rstcheck
that referenced
this issue
Nov 29, 2022
the py lib which has the issue is used by tox 3 but tox does not use the part of the lib which is affected tox-dev/tox#2524 pytest was updated to 7.2 prior to remove py lib
Cielquan
added a commit
to Cielquan/verbum
that referenced
this issue
Nov 29, 2022
the py lib which has the issue is used by tox 3 but tox does not use the part of the lib which is affected tox-dev/tox#2524 pytest was updated to 7.2 prior to remove py lib
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi all,
I couldn't find this reported yet (apologies if it's duplicate), but tox has a dependency with
py, which is currently flagged as a vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2022-42969 and therefore reported by tools likesafetyandpip-audit.There is a lot of chatter in here about whether this should be considered a vulnerability in the first place and whether the vulnerability should be taken down. It doesn't sound like the
pymaintainers are going to fix the affected code, instead they removed the dependency frompytestaltogether by vendoring the code they still needed.Is this something that could be done in
toxas well?Thanks in advance!
The text was updated successfully, but these errors were encountered: