Github / dependabot warning about CVE-2023-43804 in urllib3 < 2.0.6

[geekosaur]

I note that we currently exclude that version, so presumably we need to test for compatibility.

[ulysses4ever]

What do you mean by "we currently exclude"? doc/requirements.in doesn't mention the package, and the generated doc/requirements.txt has urllib3==2.0.2 (and the first unaffected version is 2.0.6). So, the way to go, presumably, is to do what we did for certify in the past in a similar case: add a bound in requirements.in

https://github.com/haskell/cabal/blob/bbbca4f3402f3446e39ebd71b7b757399984e41f/doc/requirements.in#L7-L8C22

and regenerate requirements.txt via make users-guide-requirements (as discussed in doc/README.md).

[geekosaur]

The Dependabot notice claims:

Dependency      Version     Upgrade to
urllib3         >= 2.0.0    ~> 2.0.6
                < 2.0.6

It also claims to have gotten it from requirements.txt, so I wonder if it's a default if we don't list it.

[ulysses4ever]

I don't get you. requirements.txt does have urllib3==2.0.2. And it got there because of the way we handle Python deps, which we start from requirements.in, where we list only direct dependencies, and produce requirements.txt from it, and we have the full dependency tree in there.

If it helps, requirements.in is like a .cabal file, and requirements.txt is like cabal.freeze file. We have to add a constraint in the former to get a "good" plan in the latter.

[geekosaur]

I'm going by what the notice claimed. (Does nobody else receive these?)

Okay, it looks like the HTML version is unclear; I opened the original message to get the text version for pasting and it turns out that's the vulnerable versions, not the requested version range.

Dependabot alerts on GitHub

Dependabot alerts this week Sep 26 - Oct  3
-------------------

Haskell organization
---------------------------------------------------
1. https://github.com/haskell/cabal

  urllib3 dependency
  ------------------------------------------------
  Vulnerable versions: >= 2.0.0, < 2.0.6
  Upgrade to: 2.0.6
  Defined in: requirements.txt
  Vulnerabilities:  CVE-2023-43804 (Moderate severity) 


  View all vulnerable dependencies:
  https://github.com/haskell/cabal/security/dependabot


Change how you receive security alert emails in your notification preferences: https://github.com/settings/notifications#vulnerability-alerts-heading

Change your email preferences: https://github.com/settings/emails
Unsubscribe from this email: https://github.com/email/unsubscribe?token=AAPRFICZU2KSPXTHYQ5D7XLG72OU5ANENZQW2ZNNOZ2WY3TFOJQWE2LMNF2HS

GitHub, Inc. 88 Colin P Kelly Jr Street, San Francisco, CA 94107

[ulysses4ever]

Yes, ">= 2.0.0, < 2.0.6" is bad, ">= 2.0.6" is good.

[ulysses4ever]

To your other question, for some reason, I don't get dependabot alerts for this repo. I do for some others. Not sure what's up with that...

[ulysses4ever]

Oh, I did get the dependabot alert after all!