3.0.2 Failing Safety Check - No Stable Upgrade Available
CarolynWebster opened this issue · comments
Looks like there are several safety warnings for daphne. 3.0.2 appears to be the last stable version, so there is no option in terms of upgrades.
safety report
checked 261 packages, using default DB
---
-> daphne, installed 3.0.2, affected <4.0.0b1, id 50814
-> daphne, installed 3.0.2, affected <4.0.0b1, id 50815
-> daphne, installed 3.0.2, affected <4.0.0b1, id 50816
-> daphne, installed 3.0.2, affected <4.0.0b1, id 50817
-> daphne, installed 3.0.2, affected <4.0.0b1, id 50818
-> daphne, installed 3.0.2, affected <4.0.0b1, id 50768
From the safety JSON file: https://raw.githubusercontent.com/pyupio/safety-db/master/data/insecure_full.json
"daphne": [
{
"advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
"cve": "CVE-2022-21712",
"id": "pyup.io-50814",
"more_info_path": "/vulnerabilities/CVE-2022-21712/50814/",
"specs": [
"<4.0.0b1"
],
"v": "<4.0.0b1"
},
{
"advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
"cve": "CVE-2020-10108",
"id": "pyup.io-50815",
"more_info_path": "/vulnerabilities/CVE-2020-10108/50815/",
"specs": [
"<4.0.0b1"
],
"v": "<4.0.0b1"
},
{
"advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
"cve": "CVE-2020-10109",
"id": "pyup.io-50816",
"more_info_path": "/vulnerabilities/CVE-2020-10109/50816/",
"specs": [
"<4.0.0b1"
],
"v": "<4.0.0b1"
},
{
"advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
"cve": "CVE-2019-12855",
"id": "pyup.io-50817",
"more_info_path": "/vulnerabilities/CVE-2019-12855/50817/",
"specs": [
"<4.0.0b1"
],
"v": "<4.0.0b1"
},
{
"advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
"cve": "CVE-2019-12387",
"id": "pyup.io-50818",
"more_info_path": "/vulnerabilities/CVE-2019-12387/50818/",
"specs": [
"<4.0.0b1"
],
"v": "<4.0.0b1"
},
{
"advisory": "Daphne 4.0.0b1 updates its dependency 'twisted' requirement to '>=22.4' to include security fixes.",
"cve": "CVE-2022-24801",
"id": "pyup.io-50768",
"more_info_path": "/vulnerabilities/CVE-2022-24801/50768/",
"specs": [
"<4.0.0b1"
],
"v": "<4.0.0b1"
}
],
Links to pyup:
- https://pyup.io/vulnerabilities/CVE-2022-21712/50814/
- https://pyup.io/vulnerabilities/CVE-2020-10108/50815/
- https://pyup.io/vulnerabilities/CVE-2020-10109/50816/
- https://pyup.io/vulnerabilities/CVE-2019-12855/50817/
- https://pyup.io/vulnerabilities/CVE-2019-12387/50818/
- https://pyup.io/vulnerabilities/CVE-2022-24801/50768/
These all report on the same thing, that Daphne <4.0.0b1 doesn't require a secure version of twisted.
IMO these are "garbage" reports, you can use the new version of Twisted with Daphne 3.0.2. Daphne cannot be expected to release a new version with an updated minimum version pin, every time that Twisted releases a security fix.
I advise ignoring the checks (safety check --ignore=50814 ...
), and reporting them as bad checks to PyUP.
Yes, thanks @adamchainz — I agree these are garbage. It makes Pyup's reviewed by experts look pretty weak TBH
The key point is the twisted
dependency is a minimum if you pip install daphne
you don't get an insecure version....
Successfully installed … daphne-3.0.2 … twisted-22.4.0
So @CarolynWebster You can carry on (but please do report the issue to pyup)
...cannot be expected to release a new version with an updated minimum version pin...
It's a minimum needs at least this — if I declare Django>=3.2
it's not a security issue in my package because Django 3.2.15 was a security release. You just update Django.
Btw, my experience with safety
has been only false positives. I've been using it at one client for about two years, because their security policy needed something in place. But IIRC the only alerts we've ever seen were false positives that needed muting, maybe 2-3 times.
I am considering switching to pip-audit, which has a community-driven database.