Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.

Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages

Pytest-runner depends on deprecated features of setuptools and relies on features that break security mechanisms in pip. For example ‘setup_requires’ and ‘tests_require’ bypass pip --require-hashes. See also pypa/setuptools#1684.
It is recommended that you:
- Remove 'pytest-runner' from your setup_requires, preferably removing the setup_requires option.
- Remove 'pytest' and any other testing requirements from tests_require, preferably removing the tests_requires option.
- Select a tool to bootstrap and then run tests such as tox.
https://github.com/pytest-dev/pytest-runner/blob/289a77b179535d8137118e3b8591d9e727130d6d/README.rst

Opencv-python 4.8.1.78 updates its bundled dependency 'libwebp' to include a fix for a high risk vulnerability. Only mac OS X wheels on PyPI were affected.
https://github.com/opencv/opencv-python/releases/tag/78

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'libpng' to v1.6.37 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'zlib' to v1.2.13 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'FFmpeg' to v5.1.2 to include a security fix.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

OpenCV's wechat_qrcode module, specifically versions up to 4.7.0, has a significant vulnerability affecting the DecodedBitStreamParser::decodeHanziSegment function within the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability can cause a memory leak. The potential attack can be executed remotely. To rectify this issue, it's advisable to apply a patch named 2b62ff6181163eea029ed1cab11363b4996e9cd6.
https://github.com/opencv/opencv_contrib/pull/3484/commits/2b62ff6181163eea029ed1cab11363b4996e9cd6

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'freetype' to v2.12.1 to include a security fix.

The OpenCV wechat_qrcode module, versions up to 4.7.0, contains a critical vulnerability affecting the DecodedBitStreamParser::decodeByteSegment function in the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability, if exploited, could lead to a null pointer dereference. Attackers can potentially launch this attack remotely.
https://github.com/opencv/opencv_contrib/pull/3480

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.

Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages

Pytest-runner depends on deprecated features of setuptools and relies on features that break security mechanisms in pip. For example ‘setup_requires’ and ‘tests_require’ bypass pip --require-hashes. See also pypa/setuptools#1684.
It is recommended that you:
- Remove 'pytest-runner' from your setup_requires, preferably removing the setup_requires option.
- Remove 'pytest' and any other testing requirements from tests_require, preferably removing the tests_requires option.
- Select a tool to bootstrap and then run tests such as tox.
https://github.com/pytest-dev/pytest-runner/blob/289a77b179535d8137118e3b8591d9e727130d6d/README.rst

Opencv-python 4.8.1.78 updates its bundled dependency 'libwebp' to include a fix for a high risk vulnerability. Only mac OS X wheels on PyPI were affected.
https://github.com/opencv/opencv-python/releases/tag/78

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'libpng' to v1.6.37 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'zlib' to v1.2.13 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'FFmpeg' to v5.1.2 to include a security fix.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

OpenCV's wechat_qrcode module, specifically versions up to 4.7.0, has a significant vulnerability affecting the DecodedBitStreamParser::decodeHanziSegment function within the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability can cause a memory leak. The potential attack can be executed remotely. To rectify this issue, it's advisable to apply a patch named 2b62ff6181163eea029ed1cab11363b4996e9cd6.
https://github.com/opencv/opencv_contrib/pull/3484/commits/2b62ff6181163eea029ed1cab11363b4996e9cd6

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'freetype' to v2.12.1 to include a security fix.

The OpenCV wechat_qrcode module, versions up to 4.7.0, contains a critical vulnerability affecting the DecodedBitStreamParser::decodeByteSegment function in the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability, if exploited, could lead to a null pointer dereference. Attackers can potentially launch this attack remotely.
https://github.com/opencv/opencv_contrib/pull/3480

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.

Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages

Pytest-runner depends on deprecated features of setuptools and relies on features that break security mechanisms in pip. For example ‘setup_requires’ and ‘tests_require’ bypass pip --require-hashes. See also pypa/setuptools#1684.
It is recommended that you:
- Remove 'pytest-runner' from your setup_requires, preferably removing the setup_requires option.
- Remove 'pytest' and any other testing requirements from tests_require, preferably removing the tests_requires option.
- Select a tool to bootstrap and then run tests such as tox.
https://github.com/pytest-dev/pytest-runner/blob/289a77b179535d8137118e3b8591d9e727130d6d/README.rst

Opencv-python 4.8.1.78 updates its bundled dependency 'libwebp' to include a fix for a high risk vulnerability. Only mac OS X wheels on PyPI were affected.
https://github.com/opencv/opencv-python/releases/tag/78

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'libpng' to v1.6.37 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'zlib' to v1.2.13 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'FFmpeg' to v5.1.2 to include a security fix.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

OpenCV's wechat_qrcode module, specifically versions up to 4.7.0, has a significant vulnerability affecting the DecodedBitStreamParser::decodeHanziSegment function within the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability can cause a memory leak. The potential attack can be executed remotely. To rectify this issue, it's advisable to apply a patch named 2b62ff6181163eea029ed1cab11363b4996e9cd6.
https://github.com/opencv/opencv_contrib/pull/3484/commits/2b62ff6181163eea029ed1cab11363b4996e9cd6

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'freetype' to v2.12.1 to include a security fix.

The OpenCV wechat_qrcode module, versions up to 4.7.0, contains a critical vulnerability affecting the DecodedBitStreamParser::decodeByteSegment function in the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability, if exploited, could lead to a null pointer dereference. Attackers can potentially launch this attack remotely.
https://github.com/opencv/opencv_contrib/pull/3480

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.

Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory.
https://github.com/sphinx-doc/sphinx/issues/8175
https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2

Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring.
https://github.com/sphinx-doc/sphinx/issues/8172
https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417

Pytest-runner depends on deprecated features of setuptools and relies on features that break security mechanisms in pip. For example ‘setup_requires’ and ‘tests_require’ bypass pip --require-hashes. See also pypa/setuptools#1684.
It is recommended that you:
- Remove 'pytest-runner' from your setup_requires, preferably removing the setup_requires option.
- Remove 'pytest' and any other testing requirements from tests_require, preferably removing the tests_requires option.
- Select a tool to bootstrap and then run tests such as tox.
https://github.com/pytest-dev/pytest-runner/blob/289a77b179535d8137118e3b8591d9e727130d6d/README.rst

Opencv-python 4.8.1.78 updates its bundled dependency 'libwebp' to include a fix for a high risk vulnerability. Only mac OS X wheels on PyPI were affected.
https://github.com/opencv/opencv-python/releases/tag/78

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'libpng' to v1.6.37 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'zlib' to v1.2.13 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'FFmpeg' to v5.1.2 to include a security fix.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

OpenCV's wechat_qrcode module, specifically versions up to 4.7.0, has a significant vulnerability affecting the DecodedBitStreamParser::decodeHanziSegment function within the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability can cause a memory leak. The potential attack can be executed remotely. To rectify this issue, it's advisable to apply a patch named 2b62ff6181163eea029ed1cab11363b4996e9cd6.
https://github.com/opencv/opencv_contrib/pull/3484/commits/2b62ff6181163eea029ed1cab11363b4996e9cd6

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'freetype' to v2.12.1 to include a security fix.

The OpenCV wechat_qrcode module, versions up to 4.7.0, contains a critical vulnerability affecting the DecodedBitStreamParser::decodeByteSegment function in the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability, if exploited, could lead to a null pointer dereference. Attackers can potentially launch this attack remotely.
https://github.com/opencv/opencv_contrib/pull/3480

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages

Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory.
https://github.com/sphinx-doc/sphinx/issues/8175
https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2

Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring.
https://github.com/sphinx-doc/sphinx/issues/8172
https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417

Pytest-runner depends on deprecated features of setuptools and relies on features that break security mechanisms in pip. For example ‘setup_requires’ and ‘tests_require’ bypass pip --require-hashes. See also pypa/setuptools#1684.
It is recommended that you:
- Remove 'pytest-runner' from your setup_requires, preferably removing the setup_requires option.
- Remove 'pytest' and any other testing requirements from tests_require, preferably removing the tests_requires option.
- Select a tool to bootstrap and then run tests such as tox.
https://github.com/pytest-dev/pytest-runner/blob/289a77b179535d8137118e3b8591d9e727130d6d/README.rst

Opencv-python 4.8.1.78 updates its bundled dependency 'libwebp' to include a fix for a high risk vulnerability. Only mac OS X wheels on PyPI were affected.
https://github.com/opencv/opencv-python/releases/tag/78

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'libpng' to v1.6.37 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'zlib' to v1.2.13 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'FFmpeg' to v5.1.2 to include a security fix.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

OpenCV's wechat_qrcode module, specifically versions up to 4.7.0, has a significant vulnerability affecting the DecodedBitStreamParser::decodeHanziSegment function within the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability can cause a memory leak. The potential attack can be executed remotely. To rectify this issue, it's advisable to apply a patch named 2b62ff6181163eea029ed1cab11363b4996e9cd6.
https://github.com/opencv/opencv_contrib/pull/3484/commits/2b62ff6181163eea029ed1cab11363b4996e9cd6

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'freetype' to v2.12.1 to include a security fix.

The OpenCV wechat_qrcode module, versions up to 4.7.0, contains a critical vulnerability affecting the DecodedBitStreamParser::decodeByteSegment function in the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability, if exploited, could lead to a null pointer dereference. Attackers can potentially launch this attack remotely.
https://github.com/opencv/opencv_contrib/pull/3480

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.

Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages

Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory.
https://github.com/sphinx-doc/sphinx/issues/8175
https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2

Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring.
https://github.com/sphinx-doc/sphinx/issues/8172
https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417

Pytest-runner depends on deprecated features of setuptools and relies on features that break security mechanisms in pip. For example ‘setup_requires’ and ‘tests_require’ bypass pip --require-hashes. See also pypa/setuptools#1684.
It is recommended that you:
- Remove 'pytest-runner' from your setup_requires, preferably removing the setup_requires option.
- Remove 'pytest' and any other testing requirements from tests_require, preferably removing the tests_requires option.
- Select a tool to bootstrap and then run tests such as tox.
https://github.com/pytest-dev/pytest-runner/blob/289a77b179535d8137118e3b8591d9e727130d6d/README.rst

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages

Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory.
https://github.com/sphinx-doc/sphinx/issues/8175
https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2

Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring.
https://github.com/sphinx-doc/sphinx/issues/8172
https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417

Pytest-runner depends on deprecated features of setuptools and relies on features that break security mechanisms in pip. For example ‘setup_requires’ and ‘tests_require’ bypass pip --require-hashes. See also pypa/setuptools#1684.
It is recommended that you:
- Remove 'pytest-runner' from your setup_requires, preferably removing the setup_requires option.
- Remove 'pytest' and any other testing requirements from tests_require, preferably removing the tests_requires option.
- Select a tool to bootstrap and then run tests such as tox.
https://github.com/pytest-dev/pytest-runner/blob/289a77b179535d8137118e3b8591d9e727130d6d/README.rst

Opencv-python 4.8.1.78 updates its bundled dependency 'libwebp' to include a fix for a high risk vulnerability. Only mac OS X wheels on PyPI were affected.
https://github.com/opencv/opencv-python/releases/tag/78

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'libpng' to v1.6.37 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'zlib' to v1.2.13 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'FFmpeg' to v5.1.2 to include a security fix.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

OpenCV's wechat_qrcode module, specifically versions up to 4.7.0, has a significant vulnerability affecting the DecodedBitStreamParser::decodeHanziSegment function within the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability can cause a memory leak. The potential attack can be executed remotely. To rectify this issue, it's advisable to apply a patch named 2b62ff6181163eea029ed1cab11363b4996e9cd6.
https://github.com/opencv/opencv_contrib/pull/3484/commits/2b62ff6181163eea029ed1cab11363b4996e9cd6

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'freetype' to v2.12.1 to include a security fix.

The OpenCV wechat_qrcode module, versions up to 4.7.0, contains a critical vulnerability affecting the DecodedBitStreamParser::decodeByteSegment function in the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability, if exploited, could lead to a null pointer dereference. Attackers can potentially launch this attack remotely.
https://github.com/opencv/opencv_contrib/pull/3480

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.

Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages

Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory.
https://github.com/sphinx-doc/sphinx/issues/8175
https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2

Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring.
https://github.com/sphinx-doc/sphinx/issues/8172
https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417

Pytest-runner depends on deprecated features of setuptools and relies on features that break security mechanisms in pip. For example ‘setup_requires’ and ‘tests_require’ bypass pip --require-hashes. See also pypa/setuptools#1684.
It is recommended that you:
- Remove 'pytest-runner' from your setup_requires, preferably removing the setup_requires option.
- Remove 'pytest' and any other testing requirements from tests_require, preferably removing the tests_requires option.
- Select a tool to bootstrap and then run tests such as tox.
https://github.com/pytest-dev/pytest-runner/blob/289a77b179535d8137118e3b8591d9e727130d6d/README.rst

Opencv-python 4.8.1.78 updates its bundled dependency 'libwebp' to include a fix for a high risk vulnerability. Only mac OS X wheels on PyPI were affected.
https://github.com/opencv/opencv-python/releases/tag/78

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'libpng' to v1.6.37 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'zlib' to v1.2.13 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'FFmpeg' to v5.1.2 to include a security fix.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

OpenCV's wechat_qrcode module, specifically versions up to 4.7.0, has a significant vulnerability affecting the DecodedBitStreamParser::decodeHanziSegment function within the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability can cause a memory leak. The potential attack can be executed remotely. To rectify this issue, it's advisable to apply a patch named 2b62ff6181163eea029ed1cab11363b4996e9cd6.
https://github.com/opencv/opencv_contrib/pull/3484/commits/2b62ff6181163eea029ed1cab11363b4996e9cd6

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'freetype' to v2.12.1 to include a security fix.

The OpenCV wechat_qrcode module, versions up to 4.7.0, contains a critical vulnerability affecting the DecodedBitStreamParser::decodeByteSegment function in the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability, if exploited, could lead to a null pointer dereference. Attackers can potentially launch this attack remotely.
https://github.com/opencv/opencv_contrib/pull/3480

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.

Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory.
https://github.com/sphinx-doc/sphinx/issues/8175
https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2

Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring.
https://github.com/sphinx-doc/sphinx/issues/8172
https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417

Pytest-runner depends on deprecated features of setuptools and relies on features that break security mechanisms in pip. For example ‘setup_requires’ and ‘tests_require’ bypass pip --require-hashes. See also pypa/setuptools#1684.
It is recommended that you:
- Remove 'pytest-runner' from your setup_requires, preferably removing the setup_requires option.
- Remove 'pytest' and any other testing requirements from tests_require, preferably removing the tests_requires option.
- Select a tool to bootstrap and then run tests such as tox.
https://github.com/pytest-dev/pytest-runner/blob/289a77b179535d8137118e3b8591d9e727130d6d/README.rst

Opencv-python 4.8.1.78 updates its bundled dependency 'libwebp' to include a fix for a high risk vulnerability. Only mac OS X wheels on PyPI were affected.
https://github.com/opencv/opencv-python/releases/tag/78

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'libpng' to v1.6.37 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'zlib' to v1.2.13 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'FFmpeg' to v5.1.2 to include a security fix.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

OpenCV's wechat_qrcode module, specifically versions up to 4.7.0, has a significant vulnerability affecting the DecodedBitStreamParser::decodeHanziSegment function within the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability can cause a memory leak. The potential attack can be executed remotely. To rectify this issue, it's advisable to apply a patch named 2b62ff6181163eea029ed1cab11363b4996e9cd6.
https://github.com/opencv/opencv_contrib/pull/3484/commits/2b62ff6181163eea029ed1cab11363b4996e9cd6

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'freetype' to v2.12.1 to include a security fix.

The OpenCV wechat_qrcode module, versions up to 4.7.0, contains a critical vulnerability affecting the DecodedBitStreamParser::decodeByteSegment function in the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability, if exploited, could lead to a null pointer dereference. Attackers can potentially launch this attack remotely.
https://github.com/opencv/opencv_contrib/pull/3480

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.

Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory.
https://github.com/sphinx-doc/sphinx/issues/8175
https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2

Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring.
https://github.com/sphinx-doc/sphinx/issues/8172
https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417

Pytest-runner depends on deprecated features of setuptools and relies on features that break security mechanisms in pip. For example ‘setup_requires’ and ‘tests_require’ bypass pip --require-hashes. See also pypa/setuptools#1684.
It is recommended that you:
- Remove 'pytest-runner' from your setup_requires, preferably removing the setup_requires option.
- Remove 'pytest' and any other testing requirements from tests_require, preferably removing the tests_requires option.
- Select a tool to bootstrap and then run tests such as tox.
https://github.com/pytest-dev/pytest-runner/blob/289a77b179535d8137118e3b8591d9e727130d6d/README.rst

Opencv-python 4.8.1.78 updates its bundled dependency 'libwebp' to include a fix for a high risk vulnerability. Only mac OS X wheels on PyPI were affected.
https://github.com/opencv/opencv-python/releases/tag/78

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'libpng' to v1.6.37 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'zlib' to v1.2.13 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'FFmpeg' to v5.1.2 to include a security fix.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

OpenCV's wechat_qrcode module, specifically versions up to 4.7.0, has a significant vulnerability affecting the DecodedBitStreamParser::decodeHanziSegment function within the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability can cause a memory leak. The potential attack can be executed remotely. To rectify this issue, it's advisable to apply a patch named 2b62ff6181163eea029ed1cab11363b4996e9cd6.
https://github.com/opencv/opencv_contrib/pull/3484/commits/2b62ff6181163eea029ed1cab11363b4996e9cd6

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'freetype' to v2.12.1 to include a security fix.

The OpenCV wechat_qrcode module, versions up to 4.7.0, contains a critical vulnerability affecting the DecodedBitStreamParser::decodeByteSegment function in the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability, if exploited, could lead to a null pointer dereference. Attackers can potentially launch this attack remotely.
https://github.com/opencv/opencv_contrib/pull/3480

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages

Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory.
https://github.com/sphinx-doc/sphinx/issues/8175
https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2

Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring.
https://github.com/sphinx-doc/sphinx/issues/8172
https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417

Pytest-runner depends on deprecated features of setuptools and relies on features that break security mechanisms in pip. For example ‘setup_requires’ and ‘tests_require’ bypass pip --require-hashes. See also pypa/setuptools#1684.
It is recommended that you:
- Remove 'pytest-runner' from your setup_requires, preferably removing the setup_requires option.
- Remove 'pytest' and any other testing requirements from tests_require, preferably removing the tests_requires option.
- Select a tool to bootstrap and then run tests such as tox.
https://github.com/pytest-dev/pytest-runner/blob/289a77b179535d8137118e3b8591d9e727130d6d/README.rst

Opencv-python 4.8.1.78 updates its bundled dependency 'libwebp' to include a fix for a high risk vulnerability. Only mac OS X wheels on PyPI were affected.
https://github.com/opencv/opencv-python/releases/tag/78

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'libpng' to v1.6.37 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'zlib' to v1.2.13 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'FFmpeg' to v5.1.2 to include a security fix.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

OpenCV's wechat_qrcode module, specifically versions up to 4.7.0, has a significant vulnerability affecting the DecodedBitStreamParser::decodeHanziSegment function within the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability can cause a memory leak. The potential attack can be executed remotely. To rectify this issue, it's advisable to apply a patch named 2b62ff6181163eea029ed1cab11363b4996e9cd6.
https://github.com/opencv/opencv_contrib/pull/3484/commits/2b62ff6181163eea029ed1cab11363b4996e9cd6

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'freetype' to v2.12.1 to include a security fix.

The OpenCV wechat_qrcode module, versions up to 4.7.0, contains a critical vulnerability affecting the DecodedBitStreamParser::decodeByteSegment function in the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability, if exploited, could lead to a null pointer dereference. Attackers can potentially launch this attack remotely.
https://github.com/opencv/opencv_contrib/pull/3480

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages

Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory.
https://github.com/sphinx-doc/sphinx/issues/8175
https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2

Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring.
https://github.com/sphinx-doc/sphinx/issues/8172
https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417

Pytest-runner depends on deprecated features of setuptools and relies on features that break security mechanisms in pip. For example ‘setup_requires’ and ‘tests_require’ bypass pip --require-hashes. See also pypa/setuptools#1684.
It is recommended that you:
- Remove 'pytest-runner' from your setup_requires, preferably removing the setup_requires option.
- Remove 'pytest' and any other testing requirements from tests_require, preferably removing the tests_requires option.
- Select a tool to bootstrap and then run tests such as tox.
https://github.com/pytest-dev/pytest-runner/blob/289a77b179535d8137118e3b8591d9e727130d6d/README.rst

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages

Pytest-runner depends on deprecated features of setuptools and relies on features that break security mechanisms in pip. For example ‘setup_requires’ and ‘tests_require’ bypass pip --require-hashes. See also pypa/setuptools#1684.
It is recommended that you:
- Remove 'pytest-runner' from your setup_requires, preferably removing the setup_requires option.
- Remove 'pytest' and any other testing requirements from tests_require, preferably removing the tests_requires option.
- Select a tool to bootstrap and then run tests such as tox.
https://github.com/pytest-dev/pytest-runner/blob/289a77b179535d8137118e3b8591d9e727130d6d/README.rst

Opencv-python 4.8.1.78 updates its bundled dependency 'libwebp' to include a fix for a high risk vulnerability. Only mac OS X wheels on PyPI were affected.
https://github.com/opencv/opencv-python/releases/tag/78

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'libpng' to v1.6.37 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'zlib' to v1.2.13 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'FFmpeg' to v5.1.2 to include a security fix.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

OpenCV's wechat_qrcode module, specifically versions up to 4.7.0, has a significant vulnerability affecting the DecodedBitStreamParser::decodeHanziSegment function within the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability can cause a memory leak. The potential attack can be executed remotely. To rectify this issue, it's advisable to apply a patch named 2b62ff6181163eea029ed1cab11363b4996e9cd6.
https://github.com/opencv/opencv_contrib/pull/3484/commits/2b62ff6181163eea029ed1cab11363b4996e9cd6

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'freetype' to v2.12.1 to include a security fix.

The OpenCV wechat_qrcode module, versions up to 4.7.0, contains a critical vulnerability affecting the DecodedBitStreamParser::decodeByteSegment function in the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability, if exploited, could lead to a null pointer dereference. Attackers can potentially launch this attack remotely.
https://github.com/opencv/opencv_contrib/pull/3480

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages

Pytest-runner depends on deprecated features of setuptools and relies on features that break security mechanisms in pip. For example ‘setup_requires’ and ‘tests_require’ bypass pip --require-hashes. See also pypa/setuptools#1684.
It is recommended that you:
- Remove 'pytest-runner' from your setup_requires, preferably removing the setup_requires option.
- Remove 'pytest' and any other testing requirements from tests_require, preferably removing the tests_requires option.
- Select a tool to bootstrap and then run tests such as tox.
https://github.com/pytest-dev/pytest-runner/blob/289a77b179535d8137118e3b8591d9e727130d6d/README.rst

Opencv-python 4.8.1.78 updates its bundled dependency 'libwebp' to include a fix for a high risk vulnerability. Only mac OS X wheels on PyPI were affected.
https://github.com/opencv/opencv-python/releases/tag/78

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'libpng' to v1.6.37 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'zlib' to v1.2.13 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'FFmpeg' to v5.1.2 to include a security fix.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

OpenCV's wechat_qrcode module, specifically versions up to 4.7.0, has a significant vulnerability affecting the DecodedBitStreamParser::decodeHanziSegment function within the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability can cause a memory leak. The potential attack can be executed remotely. To rectify this issue, it's advisable to apply a patch named 2b62ff6181163eea029ed1cab11363b4996e9cd6.
https://github.com/opencv/opencv_contrib/pull/3484/commits/2b62ff6181163eea029ed1cab11363b4996e9cd6

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'freetype' to v2.12.1 to include a security fix.

The OpenCV wechat_qrcode module, versions up to 4.7.0, contains a critical vulnerability affecting the DecodedBitStreamParser::decodeByteSegment function in the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability, if exploited, could lead to a null pointer dereference. Attackers can potentially launch this attack remotely.
https://github.com/opencv/opencv_contrib/pull/3480

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages

Pytest-runner depends on deprecated features of setuptools and relies on features that break security mechanisms in pip. For example ‘setup_requires’ and ‘tests_require’ bypass pip --require-hashes. See also pypa/setuptools#1684.
It is recommended that you:
- Remove 'pytest-runner' from your setup_requires, preferably removing the setup_requires option.
- Remove 'pytest' and any other testing requirements from tests_require, preferably removing the tests_requires option.
- Select a tool to bootstrap and then run tests such as tox.
https://github.com/pytest-dev/pytest-runner/blob/289a77b179535d8137118e3b8591d9e727130d6d/README.rst

Opencv-python 4.8.1.78 updates its bundled dependency 'libwebp' to include a fix for a high risk vulnerability. Only mac OS X wheels on PyPI were affected.
https://github.com/opencv/opencv-python/releases/tag/78

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'libpng' to v1.6.37 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'zlib' to v1.2.13 to include a security fix.

Opencv-python 4.7.0 updates its C dependency 'FFmpeg' to v5.1.2 to include a security fix.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

Opencv-python 4.7.0 updates its dependency 'OpenSSL' to v1.1.1s to include security fixes.

Opencv-python 3.4.18 and 4.6.0 update its dependency 'openssl' to v1_1_1o to include security fixes.

OpenCV's wechat_qrcode module, specifically versions up to 4.7.0, has a significant vulnerability affecting the DecodedBitStreamParser::decodeHanziSegment function within the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability can cause a memory leak. The potential attack can be executed remotely. To rectify this issue, it's advisable to apply a patch named 2b62ff6181163eea029ed1cab11363b4996e9cd6.
https://github.com/opencv/opencv_contrib/pull/3484/commits/2b62ff6181163eea029ed1cab11363b4996e9cd6

Opencv-python 3.4.18 and 4.6.0 pin its dependency 'freetype' to v2.12.1 to include a security fix.

The OpenCV wechat_qrcode module, versions up to 4.7.0, contains a critical vulnerability affecting the DecodedBitStreamParser::decodeByteSegment function in the qrcode/decoder/decoded_bit_stream_parser.cpp file. This vulnerability, if exploited, could lead to a null pointer dereference. Attackers can potentially launch this attack remotely.
https://github.com/opencv/opencv_contrib/pull/3480