chdsbd / kodiak

🔮 A bot to automatically update and merge GitHub PRs

https://kodiakhq.com

CVE-2022-29217

StephenRadachy opened this issue 2 years ago · comments

Stephen Radachy commented 2 years ago

Upgrade PyJWT-1.7.1-py2.py3-none-any.whl: https://nvd.nist.gov/vuln/detail/CVE-2022-29217

Christopher Dignam commented 2 years ago

I don't think Kodiak is affected by this issue because Kodiak specifies the JWT algorithm: https://cs.github.com/chdsbd/kodiak/blob/cd699e620e88dd5725ec455c418c70902b7660a1/bot/kodiak/queries/__init__.py?q=jwt#L1320

But like these other vulnerabilities, I'd welcome a PR to update the package.