[BUG] Inclusion of the docker dependency bring in pywin32 which has an outstanding vulnerability
matroscoe opened this issue · comments
Memgraph version gqlalchemy = ">=1.4.1,<2.0.0"
Environment Python 3.11, memgraph running the memgraph/memgraph-mage docker image
Describe the bug
The python docker
package is being required as a dependency which is dragging in the pywin32
library which currently has CVE's open against the version imported see:
- GHSA-hwfp-hg2m-9vr2
- CVE-2021-32559 in case the GitHub one is not available to you
To Reproduce Steps to reproduce the behavior:
- install the library, run any SAST, or DAST tool
Expected behavior That a system running on Linux would not be importing the pywin32 library and if required it would be pinned to versions that don't have CVE's
Logs N/A
Additional context is the python docker
package really a requirement or can it be made optional?
Thank you @matroscoe for opening the issue. We will work on the release at the end of the next week and update the necessary dependencies. Stay tuned :)