This repository has been archived by the owner on Jul 3, 2024. It is now read-only.
Thoughts on SQLAlchemy security vulnerability issue reported by dependabot #124
Comments
|
@adborden could you take a look at this issue and let me know your thoughts please? |
|
@anuveyatsu thanks, it's okay to make exceptions, we just need to document them. For inventory-app, we've already made an exception in snyk. So we can re-use that exception and document it in this repository. |
|
I've dismissed the alert in GH as the same exception applies.
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
ckanext-dcat-usmetadataextension does not have any additional python dependencies to work. We only have 2 dependencies for packaging and publishing the extension to PyPI which are listed in here:https://github.com/GSA/ckanext-dcat_usmetadata/blob/master/dev-requirements.txt
The
requirements.txtandrequirements-freeze.txtfiles list dependencies for CKAN app (inventory app). This is how the repository was set initially for running integration tests in the CI. For details, please see theDockerfile:https://github.com/GSA/ckanext-dcat_usmetadata/blob/master/Dockerfile (you can notice that
requirments.txtis only used to create inventory app like environment and then installckanext-dcat-usmetadataextension for tests).To summarize, the alert is not related to the extension but to Inventory App and CKAN version that is used there. I can see 2 options:
SQLAlchemydependency mention (+ any other irrelevant dependencies). I believe this the right way to go.About the alert
The depandabot alert suggests:
In inventory app, the same version of the SQLAlchemy is used (0.9.6):
The text was updated successfully, but these errors were encountered: