-
Notifications
You must be signed in to change notification settings - Fork 714
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency starkbank-ecdsa forces high-severity vulnerability #1023
Comments
this issue ideally shouldn't be closed till their is a release, as it affects every user of this library and they can't do anything about it till a release exists. |
Hi @kapilt I've reopened this issue. The fix will included in the next release on 11/17/21. |
Any chance this could be released sooner so we can honor SOC2 Vuln fix SLA without pinning dependency? |
An earlier security release addressing CVE-2021-43572 would be much appreciated! I've had to patch my requirements.txt in the interim: sendgrid @ git+https://github.com/sendgrid/sendgrid-python.git@main # tracking main to avoid a vulnerability, can then be pinned for sendgrid>6.9.0
starkbank-ecdsa>=2.0.1 # not directly required, used by sendgrid, pinned to avoid vulnerability CVE-2021-43572 |
Thanks for your patience everyone! The fix should be included in v6.9.1 of the Sendgrid-python library. |
Github has alerted us that our project has a high-severity vulnerability
starkbank-ecdsa
version 1.1.1. The requirements file here forces us to install it (seerequirements.txt
):Please fix this so we don't have to install this library to use sendgrid.
From the github alert:
PS - what does it use this library anyway? Seems odd that an email library depends on bank software.
The text was updated successfully, but these errors were encountered: