Upgrade idna to 3.7 for CVE-2024-3651

Question

Upgrade idna to 3.7 for CVE-2024-3651

carlos-villavicencio-adsk opened this issue a month ago · comments

Carlos Villavicencio commented a month ago

Now that idna released 3.7, can you consider bump the requires to idna>=3.7,<4?

Expected Result

Get rid of CVE-2024-3651

Actual Result

SAST analysis shows CVE-2024-3651

Reproduction Steps

n/a

System Information

n/a

Ian Stapleton Cordasco · Answer 1 · Fri Apr 26 2024 22:05:30 GMT+0800 (China Standard Time)

Use a better SAST.

The requirement does not forbid you using 3.7. If you aren't also managing your transitive dependency versions a reinstall of requests should pull this unless you have something else blocking you from using that version.