Skip to content

Commit

Permalink
Ignore pylint CVE, fix pyjwt CVE
Browse files Browse the repository at this point in the history
```

  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 57 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pyjwt                      | 2.3.0     | >=1.5.0,<2.4.0           | 48542    |
  +==============================================================================+
  | PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple        |
  | different JWT signing algorithms. With JWT, an attacker submitting the JWT   |
  | token can choose the used signing algorithm. The PyJWT library requires that |
  | the application chooses what algorithms are supported. The application can   |
  | specify 'jwt.algorithms.get_default_algorithms()' to get support for all     |
  | algorithms, or specify a single algorithm. The issue is not that big as      |
  | 'algorithms=jwt.algorithms.get_default_algorithms()' has to be used. Users   |
  | should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, |
  | always be explicit with the algorithms that are accepted and expected when   |
  | decoding.                                                                    |
  +==============================================================================+

  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 36 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | pylint                     | 2.12.2    | <2.13.0                  | 45185    |
  +==============================================================================+
  | Pylint 2.13.0 fixes a crash when using the doc_params extension.             |
  | pylint-dev/pylint#5322                                  |
  +==============================================================================+
```
  • Loading branch information
sbrunner committed Jun 1, 2022
1 parent a43e152 commit 18bbad6
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion acceptance_tests/pip-cve-ignore
Original file line number Diff line number Diff line change
@@ -1 +1 @@
39621
39621,45185
2 changes: 1 addition & 1 deletion app/Pipfile
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ pipfile = "==0.0.2"
plaster = "==1.0"
plaster-pastedeploy = "==0.7"
psycopg2 = "==2.9.3"
pyjwt = "==2.3.0"
pyjwt = "==2.4.0"
pyparsing = "==3.0.7"
pyramid = "==2.0"
pyramid-tm = "==2.4"
Expand Down

0 comments on commit 18bbad6

Please sign in to comment.