Giters

memgraph / gqlalchemy

GQLAlchemy is a library developed with the purpose of assisting in writing and running queries on Memgraph. GQLAlchemy supports high-level connection to Memgraph as well as modular query builder.

Home Page:https://pypi.org/project/gqlalchemy/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[BUG] Inclusion of the docker dependency bring in pywin32 which has an outstanding vulnerability

matroscoe opened this issue · comments

commented

Memgraph version gqlalchemy = ">=1.4.1,<2.0.0"
Environment Python 3.11, memgraph running the memgraph/memgraph-mage docker image

Describe the bug
The python docker package is being required as a dependency which is dragging in the pywin32 library which currently has CVE's open against the version imported see:

To Reproduce Steps to reproduce the behavior:

  1. install the library, run any SAST, or DAST tool

Expected behavior That a system running on Linux would not be importing the pywin32 library and if required it would be pinned to versions that don't have CVE's

Logs N/A

Additional context is the python docker package really a requirement or can it be made optional?

commented

Thank you @matroscoe for opening the issue. We will work on the release at the end of the next week and update the necessary dependencies. Stay tuned :)