Dependency with "vulnerable" version of py

[juanitosvq]

Hi all,

I couldn't find this reported yet (apologies if it's duplicate), but tox has a dependency with py, which is currently flagged as a vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2022-42969 and therefore reported by tools like safety and pip-audit.

There is a lot of chatter in here about whether this should be considered a vulnerability in the first place and whether the vulnerability should be taken down. It doesn't sound like the py maintainers are going to fix the affected code, instead they removed the dependency from pytest altogether by vendoring the code they still needed.

Is this something that could be done in tox as well?

Thanks in advance!

[gaborbernat]

tox does not uses the part of the lib that has the vulnabirity so I think this is invalid for us.

[gaborbernat]

tox 4 does not uses py, 😊 and we have no plans to remove it from tox 3. tox 4 will be released eventually some time next year, hopefully.

[juanitosvq]

tox does not uses the part of the lib that has the vulnabirity so I think this is invalid for us.

Right, but unfortunately tools like safety and pip-audit will still report the vulnerability in pipelines that contain tox as a dependency. We will have to explicitly ignore that vulnerability or hope that a new version of py is released.