pyup-update-jupyterlab-1.2.1-to-3.2.4
3 years, 10 months ago
Update jupyterlab from 1.2.1 to 3.2.4
pip 19.2.3, Sphinx 1.8.5 and twine 1.14.0 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| pip | 19.2.3 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
| pip | 19.2.3 | <21.1 |
show An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1. NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
| pip | 19.2.3 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. |
| pip | 19.2.3 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
| pip | 19.2.3 | <25.0 |
show Pip solves a security vulnerability that previously allowed maliciously crafted wheel files to execute unauthorized code during installation. |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| twine | 1.14.0 | <2.0.0 |
show Twine 2.0.0 updates requests to 2.20 (or later) to include a security fix. |
dependabot/pip/pip-21.1
3 years, 10 months ago
![@dependabot[bot]](https://avatars3.githubusercontent.com/u/49699333?v=3&s=32){kind=small}
Bump pip from 19.2.3 to 21.1
Bumps [pip](https://github.com/pypa/pip) from 19.2.3 to 21.1.
- [Relea
Sphinx 1.8.5, twine 1.14.0 and jupyterlab 1.2.1 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| twine | 1.14.0 | <2.0.0 |
show Twine 2.0.0 updates requests to 2.20 (or later) to include a security fix. |
| jupyterlab | 1.2.1 | <3.0.8 |
show Jupyterlab 3.0.8 updates its dependency 'marked' to v2.0.0 to address a vulnerability. See also <https://github.com/jupyterlab/jupyterlab/pull/9809>. |
| jupyterlab | 1.2.1 | >=3.1.0a0,<3.1.4 , >=3.0.0a0,<3.0.17 , >=2.3.0a0,<2.3.2 , >=2.2.0a0,<2.2.10 , <1.2.21 |
show Jupyterlab versions 3.1.4, 3.0.17, 2.3.2, 2.2.10 and 1.2.21 include a fix for CVE-2021-32797: In affected versions, an untrusted notebook can execute code on load. In particular, jupyterlab doesn’t sanitize the action attribute of html "<form>". Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx https://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed |
| jupyterlab | 1.2.1 | >=4.0.0,<=4.0.10 , <=3.6.6 |
show CVE-2024-22421 is a vulnerability in Jupyter Notebook where clicking a malicious link could expose Authorization and XSRFToken tokens to third parties in older jupyter-server versions. Patched versions include JupyterLab 4.1.0b2, 4.0.11, and 3.6.7. Users are advised to upgrade jupyter-server to version 2.7.2 or newer, which includes a fix for a redirect vulnerability. No other workaround has been identified. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947 |
| jupyterlab | 1.2.1 | <3.1.0 |
show Jupyterlab 3.1.0 upgrades the 'marked' dependency to fix a vulnerability. |
| jupyterlab | 1.2.1 | <3.1.0b2 |
show Jupyterlab 3.1.0b2 upgrades the 'marked' underlying dependency from '@jupyterlab/rendermime' with a known security vulnerability. |
| jupyterlab | 1.2.1 | <=3.6.7 , >=4.0.0a0,<=4.2.4 |
show JupyterLab is vulnerable to HTML injection, leading to DOM Clobbering, which allows attackers to access sensitive data and perform arbitrary actions as the compromised user. This vulnerability occurs when a user opens a malicious notebook with Markdown cells or a Markdown file in JupyterLab. |
pyup-update-jupyterlab-1.2.1-to-3.2.3
3 years, 10 months ago
Update jupyterlab from 1.2.1 to 3.2.3
pip 19.2.3, Sphinx 1.8.5 and twine 1.14.0 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| pip | 19.2.3 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
| pip | 19.2.3 | <21.1 |
show An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1. NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
| pip | 19.2.3 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. |
| pip | 19.2.3 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
| pip | 19.2.3 | <25.0 |
show Pip solves a security vulnerability that previously allowed maliciously crafted wheel files to execute unauthorized code during installation. |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| twine | 1.14.0 | <2.0.0 |
show Twine 2.0.0 updates requests to 2.20 (or later) to include a security fix. |
pyup-update-coverage-4.5.4-to-6.1.2
3 years, 10 months ago
Update coverage from 4.5.4 to 6.1.2
pip 19.2.3, Sphinx 1.8.5 and 2 other dependencies have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| pip | 19.2.3 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
| pip | 19.2.3 | <21.1 |
show An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1. NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
| pip | 19.2.3 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. |
| pip | 19.2.3 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
| pip | 19.2.3 | <25.0 |
show Pip solves a security vulnerability that previously allowed maliciously crafted wheel files to execute unauthorized code during installation. |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| twine | 1.14.0 | <2.0.0 |
show Twine 2.0.0 updates requests to 2.20 (or later) to include a security fix. |
| jupyterlab | 1.2.1 | <3.0.8 |
show Jupyterlab 3.0.8 updates its dependency 'marked' to v2.0.0 to address a vulnerability. See also <https://github.com/jupyterlab/jupyterlab/pull/9809>. |
| jupyterlab | 1.2.1 | >=3.1.0a0,<3.1.4 , >=3.0.0a0,<3.0.17 , >=2.3.0a0,<2.3.2 , >=2.2.0a0,<2.2.10 , <1.2.21 |
show Jupyterlab versions 3.1.4, 3.0.17, 2.3.2, 2.2.10 and 1.2.21 include a fix for CVE-2021-32797: In affected versions, an untrusted notebook can execute code on load. In particular, jupyterlab doesn’t sanitize the action attribute of html "<form>". Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx https://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed |
| jupyterlab | 1.2.1 | >=4.0.0,<=4.0.10 , <=3.6.6 |
show CVE-2024-22421 is a vulnerability in Jupyter Notebook where clicking a malicious link could expose Authorization and XSRFToken tokens to third parties in older jupyter-server versions. Patched versions include JupyterLab 4.1.0b2, 4.0.11, and 3.6.7. Users are advised to upgrade jupyter-server to version 2.7.2 or newer, which includes a fix for a redirect vulnerability. No other workaround has been identified. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947 |
| jupyterlab | 1.2.1 | <3.1.0 |
show Jupyterlab 3.1.0 upgrades the 'marked' dependency to fix a vulnerability. |
| jupyterlab | 1.2.1 | <3.1.0b2 |
show Jupyterlab 3.1.0b2 upgrades the 'marked' underlying dependency from '@jupyterlab/rendermime' with a known security vulnerability. |
| jupyterlab | 1.2.1 | <=3.6.7 , >=4.0.0a0,<=4.2.4 |
show JupyterLab is vulnerable to HTML injection, leading to DOM Clobbering, which allows attackers to access sensitive data and perform arbitrary actions as the compromised user. This vulnerability occurs when a user opens a malicious notebook with Markdown cells or a Markdown file in JupyterLab. |
pyup-update-sphinx-1.8.5-to-4.3.0
3 years, 10 months ago
Update sphinx from 1.8.5 to 4.3.0
pip 19.2.3, twine 1.14.0 and jupyterlab 1.2.1 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| pip | 19.2.3 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
| pip | 19.2.3 | <21.1 |
show An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1. NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
| pip | 19.2.3 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. |
| pip | 19.2.3 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
| pip | 19.2.3 | <25.0 |
show Pip solves a security vulnerability that previously allowed maliciously crafted wheel files to execute unauthorized code during installation. |
| twine | 1.14.0 | <2.0.0 |
show Twine 2.0.0 updates requests to 2.20 (or later) to include a security fix. |
| jupyterlab | 1.2.1 | <3.0.8 |
show Jupyterlab 3.0.8 updates its dependency 'marked' to v2.0.0 to address a vulnerability. See also <https://github.com/jupyterlab/jupyterlab/pull/9809>. |
| jupyterlab | 1.2.1 | >=3.1.0a0,<3.1.4 , >=3.0.0a0,<3.0.17 , >=2.3.0a0,<2.3.2 , >=2.2.0a0,<2.2.10 , <1.2.21 |
show Jupyterlab versions 3.1.4, 3.0.17, 2.3.2, 2.2.10 and 1.2.21 include a fix for CVE-2021-32797: In affected versions, an untrusted notebook can execute code on load. In particular, jupyterlab doesn’t sanitize the action attribute of html "<form>". Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx https://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed |
| jupyterlab | 1.2.1 | >=4.0.0,<=4.0.10 , <=3.6.6 |
show CVE-2024-22421 is a vulnerability in Jupyter Notebook where clicking a malicious link could expose Authorization and XSRFToken tokens to third parties in older jupyter-server versions. Patched versions include JupyterLab 4.1.0b2, 4.0.11, and 3.6.7. Users are advised to upgrade jupyter-server to version 2.7.2 or newer, which includes a fix for a redirect vulnerability. No other workaround has been identified. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947 |
| jupyterlab | 1.2.1 | <3.1.0 |
show Jupyterlab 3.1.0 upgrades the 'marked' dependency to fix a vulnerability. |
| jupyterlab | 1.2.1 | <3.1.0b2 |
show Jupyterlab 3.1.0b2 upgrades the 'marked' underlying dependency from '@jupyterlab/rendermime' with a known security vulnerability. |
| jupyterlab | 1.2.1 | <=3.6.7 , >=4.0.0a0,<=4.2.4 |
show JupyterLab is vulnerable to HTML injection, leading to DOM Clobbering, which allows attackers to access sensitive data and perform arbitrary actions as the compromised user. This vulnerability occurs when a user opens a malicious notebook with Markdown cells or a Markdown file in JupyterLab. |
pyup-update-twine-1.14.0-to-3.6.0
3 years, 10 months ago
Update twine from 1.14.0 to 3.6.0
pip 19.2.3, Sphinx 1.8.5 and jupyterlab 1.2.1 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| pip | 19.2.3 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
| pip | 19.2.3 | <21.1 |
show An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1. NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
| pip | 19.2.3 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. |
| pip | 19.2.3 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
| pip | 19.2.3 | <25.0 |
show Pip solves a security vulnerability that previously allowed maliciously crafted wheel files to execute unauthorized code during installation. |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| jupyterlab | 1.2.1 | <3.0.8 |
show Jupyterlab 3.0.8 updates its dependency 'marked' to v2.0.0 to address a vulnerability. See also <https://github.com/jupyterlab/jupyterlab/pull/9809>. |
| jupyterlab | 1.2.1 | >=3.1.0a0,<3.1.4 , >=3.0.0a0,<3.0.17 , >=2.3.0a0,<2.3.2 , >=2.2.0a0,<2.2.10 , <1.2.21 |
show Jupyterlab versions 3.1.4, 3.0.17, 2.3.2, 2.2.10 and 1.2.21 include a fix for CVE-2021-32797: In affected versions, an untrusted notebook can execute code on load. In particular, jupyterlab doesn’t sanitize the action attribute of html "<form>". Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx https://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed |
| jupyterlab | 1.2.1 | >=4.0.0,<=4.0.10 , <=3.6.6 |
show CVE-2024-22421 is a vulnerability in Jupyter Notebook where clicking a malicious link could expose Authorization and XSRFToken tokens to third parties in older jupyter-server versions. Patched versions include JupyterLab 4.1.0b2, 4.0.11, and 3.6.7. Users are advised to upgrade jupyter-server to version 2.7.2 or newer, which includes a fix for a redirect vulnerability. No other workaround has been identified. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947 |
| jupyterlab | 1.2.1 | <3.1.0 |
show Jupyterlab 3.1.0 upgrades the 'marked' dependency to fix a vulnerability. |
| jupyterlab | 1.2.1 | <3.1.0b2 |
show Jupyterlab 3.1.0b2 upgrades the 'marked' underlying dependency from '@jupyterlab/rendermime' with a known security vulnerability. |
| jupyterlab | 1.2.1 | <=3.6.7 , >=4.0.0a0,<=4.2.4 |
show JupyterLab is vulnerable to HTML injection, leading to DOM Clobbering, which allows attackers to access sensitive data and perform arbitrary actions as the compromised user. This vulnerability occurs when a user opens a malicious notebook with Markdown cells or a Markdown file in JupyterLab. |
pyup-update-jupyterlab-1.2.1-to-3.2.2
3 years, 10 months ago
Update jupyterlab from 1.2.1 to 3.2.2
pip 19.2.3, Sphinx 1.8.5 and twine 1.14.0 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| pip | 19.2.3 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
| pip | 19.2.3 | <21.1 |
show An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1. NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
| pip | 19.2.3 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. |
| pip | 19.2.3 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
| pip | 19.2.3 | <25.0 |
show Pip solves a security vulnerability that previously allowed maliciously crafted wheel files to execute unauthorized code during installation. |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| twine | 1.14.0 | <2.0.0 |
show Twine 2.0.0 updates requests to 2.20 (or later) to include a security fix. |
pyup-update-twine-1.14.0-to-3.5.0
3 years, 10 months ago
Update twine from 1.14.0 to 3.5.0
pip 19.2.3, Sphinx 1.8.5 and jupyterlab 1.2.1 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| pip | 19.2.3 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
| pip | 19.2.3 | <21.1 |
show An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1. NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
| pip | 19.2.3 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. |
| pip | 19.2.3 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
| pip | 19.2.3 | <25.0 |
show Pip solves a security vulnerability that previously allowed maliciously crafted wheel files to execute unauthorized code during installation. |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| jupyterlab | 1.2.1 | <3.0.8 |
show Jupyterlab 3.0.8 updates its dependency 'marked' to v2.0.0 to address a vulnerability. See also <https://github.com/jupyterlab/jupyterlab/pull/9809>. |
| jupyterlab | 1.2.1 | >=3.1.0a0,<3.1.4 , >=3.0.0a0,<3.0.17 , >=2.3.0a0,<2.3.2 , >=2.2.0a0,<2.2.10 , <1.2.21 |
show Jupyterlab versions 3.1.4, 3.0.17, 2.3.2, 2.2.10 and 1.2.21 include a fix for CVE-2021-32797: In affected versions, an untrusted notebook can execute code on load. In particular, jupyterlab doesn’t sanitize the action attribute of html "<form>". Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx https://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed |
| jupyterlab | 1.2.1 | >=4.0.0,<=4.0.10 , <=3.6.6 |
show CVE-2024-22421 is a vulnerability in Jupyter Notebook where clicking a malicious link could expose Authorization and XSRFToken tokens to third parties in older jupyter-server versions. Patched versions include JupyterLab 4.1.0b2, 4.0.11, and 3.6.7. Users are advised to upgrade jupyter-server to version 2.7.2 or newer, which includes a fix for a redirect vulnerability. No other workaround has been identified. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947 |
| jupyterlab | 1.2.1 | <3.1.0 |
show Jupyterlab 3.1.0 upgrades the 'marked' dependency to fix a vulnerability. |
| jupyterlab | 1.2.1 | <3.1.0b2 |
show Jupyterlab 3.1.0b2 upgrades the 'marked' underlying dependency from '@jupyterlab/rendermime' with a known security vulnerability. |
| jupyterlab | 1.2.1 | <=3.6.7 , >=4.0.0a0,<=4.2.4 |
show JupyterLab is vulnerable to HTML injection, leading to DOM Clobbering, which allows attackers to access sensitive data and perform arbitrary actions as the compromised user. This vulnerability occurs when a user opens a malicious notebook with Markdown cells or a Markdown file in JupyterLab. |
pyup-update-coverage-4.5.4-to-6.1.1
3 years, 10 months ago
Update coverage from 4.5.4 to 6.1.1
pip 19.2.3, Sphinx 1.8.5 and 2 other dependencies have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| pip | 19.2.3 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
| pip | 19.2.3 | <21.1 |
show An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1. NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
| pip | 19.2.3 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. |
| pip | 19.2.3 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
| pip | 19.2.3 | <25.0 |
show Pip solves a security vulnerability that previously allowed maliciously crafted wheel files to execute unauthorized code during installation. |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| twine | 1.14.0 | <2.0.0 |
show Twine 2.0.0 updates requests to 2.20 (or later) to include a security fix. |
| jupyterlab | 1.2.1 | <3.0.8 |
show Jupyterlab 3.0.8 updates its dependency 'marked' to v2.0.0 to address a vulnerability. See also <https://github.com/jupyterlab/jupyterlab/pull/9809>. |
| jupyterlab | 1.2.1 | >=3.1.0a0,<3.1.4 , >=3.0.0a0,<3.0.17 , >=2.3.0a0,<2.3.2 , >=2.2.0a0,<2.2.10 , <1.2.21 |
show Jupyterlab versions 3.1.4, 3.0.17, 2.3.2, 2.2.10 and 1.2.21 include a fix for CVE-2021-32797: In affected versions, an untrusted notebook can execute code on load. In particular, jupyterlab doesn’t sanitize the action attribute of html "<form>". Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx https://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed |
| jupyterlab | 1.2.1 | >=4.0.0,<=4.0.10 , <=3.6.6 |
show CVE-2024-22421 is a vulnerability in Jupyter Notebook where clicking a malicious link could expose Authorization and XSRFToken tokens to third parties in older jupyter-server versions. Patched versions include JupyterLab 4.1.0b2, 4.0.11, and 3.6.7. Users are advised to upgrade jupyter-server to version 2.7.2 or newer, which includes a fix for a redirect vulnerability. No other workaround has been identified. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947 |
| jupyterlab | 1.2.1 | <3.1.0 |
show Jupyterlab 3.1.0 upgrades the 'marked' dependency to fix a vulnerability. |
| jupyterlab | 1.2.1 | <3.1.0b2 |
show Jupyterlab 3.1.0b2 upgrades the 'marked' underlying dependency from '@jupyterlab/rendermime' with a known security vulnerability. |
| jupyterlab | 1.2.1 | <=3.6.7 , >=4.0.0a0,<=4.2.4 |
show JupyterLab is vulnerable to HTML injection, leading to DOM Clobbering, which allows attackers to access sensitive data and perform arbitrary actions as the compromised user. This vulnerability occurs when a user opens a malicious notebook with Markdown cells or a Markdown file in JupyterLab. |
pyup-update-coverage-4.5.4-to-6.1
3 years, 10 months ago
Update coverage from 4.5.4 to 6.1
pip 19.2.3, Sphinx 1.8.5 and 2 other dependencies have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| pip | 19.2.3 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
| pip | 19.2.3 | <21.1 |
show An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1. NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
| pip | 19.2.3 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. |
| pip | 19.2.3 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
| pip | 19.2.3 | <25.0 |
show Pip solves a security vulnerability that previously allowed maliciously crafted wheel files to execute unauthorized code during installation. |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| twine | 1.14.0 | <2.0.0 |
show Twine 2.0.0 updates requests to 2.20 (or later) to include a security fix. |
| jupyterlab | 1.2.1 | <3.0.8 |
show Jupyterlab 3.0.8 updates its dependency 'marked' to v2.0.0 to address a vulnerability. See also <https://github.com/jupyterlab/jupyterlab/pull/9809>. |
| jupyterlab | 1.2.1 | >=3.1.0a0,<3.1.4 , >=3.0.0a0,<3.0.17 , >=2.3.0a0,<2.3.2 , >=2.2.0a0,<2.2.10 , <1.2.21 |
show Jupyterlab versions 3.1.4, 3.0.17, 2.3.2, 2.2.10 and 1.2.21 include a fix for CVE-2021-32797: In affected versions, an untrusted notebook can execute code on load. In particular, jupyterlab doesn’t sanitize the action attribute of html "<form>". Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx https://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed |
| jupyterlab | 1.2.1 | >=4.0.0,<=4.0.10 , <=3.6.6 |
show CVE-2024-22421 is a vulnerability in Jupyter Notebook where clicking a malicious link could expose Authorization and XSRFToken tokens to third parties in older jupyter-server versions. Patched versions include JupyterLab 4.1.0b2, 4.0.11, and 3.6.7. Users are advised to upgrade jupyter-server to version 2.7.2 or newer, which includes a fix for a redirect vulnerability. No other workaround has been identified. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947 |
| jupyterlab | 1.2.1 | <3.1.0 |
show Jupyterlab 3.1.0 upgrades the 'marked' dependency to fix a vulnerability. |
| jupyterlab | 1.2.1 | <3.1.0b2 |
show Jupyterlab 3.1.0b2 upgrades the 'marked' underlying dependency from '@jupyterlab/rendermime' with a known security vulnerability. |
| jupyterlab | 1.2.1 | <=3.6.7 , >=4.0.0a0,<=4.2.4 |
show JupyterLab is vulnerable to HTML injection, leading to DOM Clobbering, which allows attackers to access sensitive data and perform arbitrary actions as the compromised user. This vulnerability occurs when a user opens a malicious notebook with Markdown cells or a Markdown file in JupyterLab. |
pyup-update-pip-19.2.3-to-21.3.1
3 years, 11 months ago
Update pip from 19.2.3 to 21.3.1
Sphinx 1.8.5, twine 1.14.0 and jupyterlab 1.2.1 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| twine | 1.14.0 | <2.0.0 |
show Twine 2.0.0 updates requests to 2.20 (or later) to include a security fix. |
| jupyterlab | 1.2.1 | <3.0.8 |
show Jupyterlab 3.0.8 updates its dependency 'marked' to v2.0.0 to address a vulnerability. See also <https://github.com/jupyterlab/jupyterlab/pull/9809>. |
| jupyterlab | 1.2.1 | >=3.1.0a0,<3.1.4 , >=3.0.0a0,<3.0.17 , >=2.3.0a0,<2.3.2 , >=2.2.0a0,<2.2.10 , <1.2.21 |
show Jupyterlab versions 3.1.4, 3.0.17, 2.3.2, 2.2.10 and 1.2.21 include a fix for CVE-2021-32797: In affected versions, an untrusted notebook can execute code on load. In particular, jupyterlab doesn’t sanitize the action attribute of html "<form>". Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx https://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed |
| jupyterlab | 1.2.1 | >=4.0.0,<=4.0.10 , <=3.6.6 |
show CVE-2024-22421 is a vulnerability in Jupyter Notebook where clicking a malicious link could expose Authorization and XSRFToken tokens to third parties in older jupyter-server versions. Patched versions include JupyterLab 4.1.0b2, 4.0.11, and 3.6.7. Users are advised to upgrade jupyter-server to version 2.7.2 or newer, which includes a fix for a redirect vulnerability. No other workaround has been identified. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947 |
| jupyterlab | 1.2.1 | <3.1.0 |
show Jupyterlab 3.1.0 upgrades the 'marked' dependency to fix a vulnerability. |
| jupyterlab | 1.2.1 | <3.1.0b2 |
show Jupyterlab 3.1.0b2 upgrades the 'marked' underlying dependency from '@jupyterlab/rendermime' with a known security vulnerability. |
| jupyterlab | 1.2.1 | <=3.6.7 , >=4.0.0a0,<=4.2.4 |
show JupyterLab is vulnerable to HTML injection, leading to DOM Clobbering, which allows attackers to access sensitive data and perform arbitrary actions as the compromised user. This vulnerability occurs when a user opens a malicious notebook with Markdown cells or a Markdown file in JupyterLab. |
pyup-update-jupyterlab-1.2.1-to-3.2.1
3 years, 11 months ago
Update jupyterlab from 1.2.1 to 3.2.1
pip 19.2.3, Sphinx 1.8.5 and twine 1.14.0 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| pip | 19.2.3 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
| pip | 19.2.3 | <21.1 |
show An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1. NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
| pip | 19.2.3 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. |
| pip | 19.2.3 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
| pip | 19.2.3 | <25.0 |
show Pip solves a security vulnerability that previously allowed maliciously crafted wheel files to execute unauthorized code during installation. |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| twine | 1.14.0 | <2.0.0 |
show Twine 2.0.0 updates requests to 2.20 (or later) to include a security fix. |
pyup-update-jupyterlab-1.2.1-to-3.2.0
3 years, 11 months ago
Update jupyterlab from 1.2.1 to 3.2.0
pip 19.2.3, Sphinx 1.8.5 and twine 1.14.0 have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| pip | 19.2.3 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
| pip | 19.2.3 | <21.1 |
show An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1. NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
| pip | 19.2.3 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. |
| pip | 19.2.3 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
| pip | 19.2.3 | <25.0 |
show Pip solves a security vulnerability that previously allowed maliciously crafted wheel files to execute unauthorized code during installation. |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| twine | 1.14.0 | <2.0.0 |
show Twine 2.0.0 updates requests to 2.20 (or later) to include a security fix. |
pyup-update-pandas-0.25.3-to-1.3.4
3 years, 11 months ago
Update pandas from 0.25.3 to 1.3.4
pip 19.2.3, Sphinx 1.8.5 and 2 other dependencies have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| pip | 19.2.3 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
| pip | 19.2.3 | <21.1 |
show An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1. NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
| pip | 19.2.3 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. |
| pip | 19.2.3 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
| pip | 19.2.3 | <25.0 |
show Pip solves a security vulnerability that previously allowed maliciously crafted wheel files to execute unauthorized code during installation. |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| twine | 1.14.0 | <2.0.0 |
show Twine 2.0.0 updates requests to 2.20 (or later) to include a security fix. |
| jupyterlab | 1.2.1 | <3.0.8 |
show Jupyterlab 3.0.8 updates its dependency 'marked' to v2.0.0 to address a vulnerability. See also <https://github.com/jupyterlab/jupyterlab/pull/9809>. |
| jupyterlab | 1.2.1 | >=3.1.0a0,<3.1.4 , >=3.0.0a0,<3.0.17 , >=2.3.0a0,<2.3.2 , >=2.2.0a0,<2.2.10 , <1.2.21 |
show Jupyterlab versions 3.1.4, 3.0.17, 2.3.2, 2.2.10 and 1.2.21 include a fix for CVE-2021-32797: In affected versions, an untrusted notebook can execute code on load. In particular, jupyterlab doesn’t sanitize the action attribute of html "<form>". Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx https://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed |
| jupyterlab | 1.2.1 | >=4.0.0,<=4.0.10 , <=3.6.6 |
show CVE-2024-22421 is a vulnerability in Jupyter Notebook where clicking a malicious link could expose Authorization and XSRFToken tokens to third parties in older jupyter-server versions. Patched versions include JupyterLab 4.1.0b2, 4.0.11, and 3.6.7. Users are advised to upgrade jupyter-server to version 2.7.2 or newer, which includes a fix for a redirect vulnerability. No other workaround has been identified. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947 |
| jupyterlab | 1.2.1 | <3.1.0 |
show Jupyterlab 3.1.0 upgrades the 'marked' dependency to fix a vulnerability. |
| jupyterlab | 1.2.1 | <3.1.0b2 |
show Jupyterlab 3.1.0b2 upgrades the 'marked' underlying dependency from '@jupyterlab/rendermime' with a known security vulnerability. |
| jupyterlab | 1.2.1 | <=3.6.7 , >=4.0.0a0,<=4.2.4 |
show JupyterLab is vulnerable to HTML injection, leading to DOM Clobbering, which allows attackers to access sensitive data and perform arbitrary actions as the compromised user. This vulnerability occurs when a user opens a malicious notebook with Markdown cells or a Markdown file in JupyterLab. |
pyup-update-coverage-4.5.4-to-6.0.2
3 years, 11 months ago
Update coverage from 4.5.4 to 6.0.2
pip 19.2.3, Sphinx 1.8.5 and 2 other dependencies have known security vulnerabilities.
| Package | Installed | Affected | Info |
|---|---|---|---|
| pip | 19.2.3 | <21.1 |
show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues. |
| pip | 19.2.3 | <21.1 |
show An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1. NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. |
| pip | 19.2.3 | <21.1 |
show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. |
| pip | 19.2.3 | <23.3 |
show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. |
| pip | 19.2.3 | <25.0 |
show Pip solves a security vulnerability that previously allowed maliciously crafted wheel files to execute unauthorized code during installation. |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2 |
| Sphinx | 1.8.5 | <3.3.0 |
show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417 |
| Sphinx | 1.8.5 | <3.0.4 |
show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons. |
| twine | 1.14.0 | <2.0.0 |
show Twine 2.0.0 updates requests to 2.20 (or later) to include a security fix. |
| jupyterlab | 1.2.1 | <3.0.8 |
show Jupyterlab 3.0.8 updates its dependency 'marked' to v2.0.0 to address a vulnerability. See also <https://github.com/jupyterlab/jupyterlab/pull/9809>. |
| jupyterlab | 1.2.1 | >=3.1.0a0,<3.1.4 , >=3.0.0a0,<3.0.17 , >=2.3.0a0,<2.3.2 , >=2.2.0a0,<2.2.10 , <1.2.21 |
show Jupyterlab versions 3.1.4, 3.0.17, 2.3.2, 2.2.10 and 1.2.21 include a fix for CVE-2021-32797: In affected versions, an untrusted notebook can execute code on load. In particular, jupyterlab doesn’t sanitize the action attribute of html "<form>". Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx https://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed |
| jupyterlab | 1.2.1 | >=4.0.0,<=4.0.10 , <=3.6.6 |
show CVE-2024-22421 is a vulnerability in Jupyter Notebook where clicking a malicious link could expose Authorization and XSRFToken tokens to third parties in older jupyter-server versions. Patched versions include JupyterLab 4.1.0b2, 4.0.11, and 3.6.7. Users are advised to upgrade jupyter-server to version 2.7.2 or newer, which includes a fix for a redirect vulnerability. No other workaround has been identified. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947 |
| jupyterlab | 1.2.1 | <3.1.0 |
show Jupyterlab 3.1.0 upgrades the 'marked' dependency to fix a vulnerability. |
| jupyterlab | 1.2.1 | <3.1.0b2 |
show Jupyterlab 3.1.0b2 upgrades the 'marked' underlying dependency from '@jupyterlab/rendermime' with a known security vulnerability. |
| jupyterlab | 1.2.1 | <=3.6.7 , >=4.0.0a0,<=4.2.4 |
show JupyterLab is vulnerable to HTML injection, leading to DOM Clobbering, which allows attackers to access sensitive data and perform arbitrary actions as the compromised user. This vulnerability occurs when a user opens a malicious notebook with Markdown cells or a Markdown file in JupyterLab. |
Python 3 badge
URL
https://pyup.io/repos/github/andrewm4894/am4894dev/python-3-shield.svg
Markdown
[](https://pyup.io/repos/github/andrewm4894/am4894dev/)
Restructured Text
.. image:: https://pyup.io/repos/github/andrewm4894/am4894dev/python-3-shield.svg
:target: https://pyup.io/repos/github/andrewm4894/am4894dev/
:alt: Python 3
HTML
<a href="https://pyup.io/repos/github/andrewm4894/am4894dev/"><img src="https://pyup.io/repos/github/andrewm4894/am4894dev/shield.svg" alt="Python 3" /></a>
Textile
!https://pyup.io/repos/github/andrewm4894/am4894dev/python-3-shield.svg(Python 3)!:https://pyup.io/repos/github/andrewm4894/am4894dev/
RDoc
{<img src="https://pyup.io/repos/github/andrewm4894/am4894dev/python-3-shield.svg" alt="Python 3" />}[https://pyup.io/repos/github/andrewm4894/am4894dev/]
pyup.io badge
URL
https://pyup.io/repos/github/andrewm4894/am4894dev/shield.svg
Markdown
[](https://pyup.io/repos/github/andrewm4894/am4894dev/)
Restructured Text
.. image:: https://pyup.io/repos/github/andrewm4894/am4894dev/shield.svg
:target: https://pyup.io/repos/github/andrewm4894/am4894dev/
:alt: Updates
HTML
<a href="https://pyup.io/repos/github/andrewm4894/am4894dev/"><img src="https://pyup.io/repos/github/andrewm4894/am4894dev/shield.svg" alt="Updates" /></a>
Textile
!https://pyup.io/repos/github/andrewm4894/am4894dev/shield.svg(Updates)!:https://pyup.io/repos/github/andrewm4894/am4894dev/
RDoc
{<img src="https://pyup.io/repos/github/andrewm4894/am4894dev/shield.svg" alt="Updates" />}[https://pyup.io/repos/github/andrewm4894/am4894dev/]