Please update packages that have `urllib3`, `starlette` and `certifi` dependencies.

Question

Please update packages that have `urllib3`, `starlette` and `certifi` dependencies.

ddaza opened this issue 6 months ago · comments

There are some CVEs that are being flagged by Mend.io

The dependencies should use these versions:
urllib3 >=1.26.18
certifi >= 2023.7.22
starlette >= 0.27.0

urllib3 CVE - https://www.cve.org/CVERecord?id=CVE-2023-43804
certifi Vul - GHSA-xqr8-7jwr-rhp7
starlette Vul - GHSA-v5gw-mw7f-84px

As far as I can tell, the outdated urllib3 and certifi might be coming from sentry-sdk.

$ poetry show certifi
 name         : certifi
 version      : 2021.5.30
 description  : Python package for providing Mozilla's CA Bundle.

required by
 - httpx *
 - requests >=2017.4.17
 - sentry-sdk *

$ poetry show urllib3
 name         : urllib3
 version      : 1.26.6
 description  : HTTP library with thread-safe connection pooling, file post, and more.

required by
 - requests >=1.21.1,<1.27
 - sentry-sdk >=1.10.0

$ poetry show starlette
 name         : starlette
 version      : 0.20.4
 description  : The little ASGI library that shines.

dependencies
 - anyio >=3.4.0,<5
 - typing-extensions >=3.10.0