GitPython 3.1.30 dependency is vulnerable to RCE CVE-2023-40267
behnazh-w opened this issue · comments
The GitPython dependency, which is pinned to 3.1.30 is vulnerable to a Remote Code Execution attack and needs to be updated to version 3.1.32.
Unfortunately, the packages that use pydriller are now forced to ship the vulnerable GitPython, which is not acceptable. Can you please give a timeline when you plan to fix this issue?
See CVE details here: https://osv.dev/vulnerability/GHSA-pr76-5cm5-w9cj
Hi! Unfortunately newer versions of GitPython do not use properly git stat
, which breaks many functions in Pydriller. I opened an issue some time ago: gitpython-developers/GitPython#1556
We don't have a fix yet, I'll have to work on it, or someone from the community maybe
New version with GitPython published. Closing this issue.
Thanks!