Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dependency on py #2531

Closed
matthewdeanmartin opened this issue Nov 7, 2022 · 1 comment
Closed

dependency on py #2531

matthewdeanmartin opened this issue Nov 7, 2022 · 1 comment
Labels
bug:normal affects many people or has quite an impact

Comments

@matthewdeanmartin
Copy link

tox has a direct dependency on py which is somewhat unmaintained and has had a dodgy CVE filed against it.

output of pipenv graph (but really, the py dep is visible in setup.cfg, too.

tox==3.27.0
  - colorama [required: >=0.4.1, installed: 0.4.6]
...
  - py [required: >=1.4.17, installed: 1.11.0]
  - six [required: >=1.14.0, installed: 1.16.0]

Pytest also had a dependency on py and decided to vendorize the parts they needed. There is a whole video about the issue. https://www.youtube.com/watch?v=aZS3_-y6vsg

The work around is to tell everyone to convince the corporate security team to ignore this CVE, which I guess works but scales poorly.
@matthewdeanmartin matthewdeanmartin added the bug:normal affects many people or has quite an impact label Nov 7, 2022
@jugmac00
Copy link
Member

jugmac00 commented Nov 7, 2022

Duplicate of #2524.

Btw the linked video was created by a maintainer of tox :-)

@jugmac00 jugmac00 closed this as completed Nov 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug:normal affects many people or has quite an impact
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matthewdeanmartin @jugmac00