Summary
Using a version of sqlparse that has a security vulnerability and no way to update in current version of dbt core. Snyk recommends using sqlparse==0.5 but this causes a conflict with dbt. Snyk states the issues is a recursion error: SNYK-PYTHON-SQLPARSE-6615674.
Details
Dependency conflict error message:
The conflict is caused by:
The user requested sqlparse==0.5
dbt-core 1.7.10 depends on sqlparse<0.5 and >=0.2.3Resolution was to pin sqlparse >=0.5.0, <0.6.0 in dbt-core, patched in 1.6.13 and 1.7.13.
PoC
From Snyk:
import sqlparse
sqlparse.parse('[' * 10000 + ']' * 10000)Impact
Snyk classifies it as high 7.5/10.
Patches
The bug has been fixed in dbt-core v1.6.13 and dbt-core v1.7.13.
Mitigations
Bump dbt-core 1.6 and 1.7 dependencies to 1.6.13 and 1.7.13 respectively
References
DanMawdsleyBA Reporter
Summary
Using a version of
sqlparsethat has a security vulnerability and no way to update in current version of dbt core. Snyk recommends usingsqlparse==0.5but this causes a conflict with dbt. Snyk states the issues is a recursion error:SNYK-PYTHON-SQLPARSE-6615674.Details
Dependency conflict error message:
The conflict is caused by: The user requested sqlparse==0.5 dbt-core 1.7.10 depends on sqlparse<0.5 and >=0.2.3Resolution was to pin
sqlparse >=0.5.0, <0.6.0indbt-core, patched in 1.6.13 and 1.7.13.PoC
From Snyk:
Impact
Snyk classifies it as high 7.5/10.
Patches
The bug has been fixed in dbt-core v1.6.13 and dbt-core v1.7.13.
Mitigations
Bump
dbt-core1.6 and 1.7 dependencies to 1.6.13 and 1.7.13 respectivelyReferences