Giters

snyk-labs / pysnyk

A Python client for the Snyk API.

Home Page:https://snyk.docs.apiary.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[FEAT]: replace dependency on Retry with a more actively maintained dependency that does not raise CVE-2022-42969 in other platforms

JosanaDH opened this issue · comments

commented

Is there an existing feature request for this?

  • I have searched the existing feature requests

Description

Pysnyk depends on Retry, which has not had a pypi release since 2016.
That release of Retry included a dependency on Py which has had a CVE raised against it (CVE-2022-42969)
Although this has been determined to be a false positive by Snyk (ST-1653) it can still raise queries from customers.

Retry has pushed a fix to master to remove this dependency, but there is no pypi release.

Suggestion is to investigate use of other more actively maintained projects that perform a similar function, such as backoff or tenacity

Additional Information

No response