-
Notifications
You must be signed in to change notification settings - Fork 691
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Github / dependabot warning about CVE-2023-43804 in urllib3 < 2.0.6 #9305
Comments
What do you mean by "we currently exclude"? and regenerate requirements.txt via |
The Dependabot notice claims:
It also claims to have gotten it from |
I don't get you. If it helps, |
I'm going by what the notice claimed. (Does nobody else receive these?) Okay, it looks like the HTML version is unclear; I opened the original message to get the text version for pasting and it turns out that's the vulnerable versions, not the requested version range.
|
Yes, ">= 2.0.0, < 2.0.6" is bad, ">= 2.0.6" is good. |
To your other question, for some reason, I don't get dependabot alerts for this repo. I do for some others. Not sure what's up with that... |
Oh, I did get the dependabot alert after all! |
I note that we currently exclude that version, so presumably we need to test for compatibility.
The text was updated successfully, but these errors were encountered: