-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[INFO] What is the status of PVE-2021-40962? #1695
Comments
Thanks for mentioning this @dmaljovec - looks like a mistake to me, we're currently working on Dash 2.0 but it has no security fixes and there are certainly no plans as yet about 2.1 let alone 2.2 The only thing I can think of that this might have been based on is plotly.js 2.2.1 https://github.com/plotly/plotly.js/blob/master/CHANGELOG.md#221----2021-07-06 which includes an XSS patch and is included in Dash 1.21 https://github.com/plotly/dash/blob/dev/CHANGELOG.md#updated I'm not familiar with the pyup.io safety-db - where does this draw its information from? |
I've reached out to support@pyup.io for assistance with this. |
Yeah, this seems like a misunderstanding for whoever made or requested this entry into the database.
For more information, this is the tidbit from the README:
This makes it sound like a human has to review it. Unfortunately, the git history is not super informative for the changes to I will say that another package we use frequently for development ( |
OK thanks - I've filed pyupio/safety-db#2336 |
cc: @sudburyrob |
@dmaljovec our bot commit monthly updates of vulnerabilities already reviewed by our security team, sometimes there are false positives. This correction will show up for our paid users immediately and not until September 1st for our users without a paid subscription. |
Thanks @yeisonvargasf - and thanks again @dmaljovec for bringing this to our attention. Closing as resolved. |
It looks like the latest pyup.io safety-db is listing anything less than the yet unreleased version
2.2.0
of dash as a security vulnerability:As this is both a major version and two minor versions off of the current latest release, I was wondering if someone could comment on the veracity of this entry? Also, if there is any more details about what the security fix entails so we can evaluate risk on our own end that would be great.
Thank!
The text was updated successfully, but these errors were encountered: