Safety CI > sentrip/veryscrape

dependabot/pip/pip-21.1

3 years, 5 months ago

Bump pip from 9.0.1 to 21.1 Bumps [pip](https://github.com/pypa/pip) from 9.0.1 to 21.1. - [Release

Sphinx 1.7.1 and twine 1.10.0 have known security vulnerabilities.

Package	Installed	Affected	Info
Sphinx	1.7.1	<3.0.4	show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons.
Sphinx	1.7.1	<3.3.0	show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2
Sphinx	1.7.1	<3.3.0	show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417
Sphinx	1.7.1	<3.0.4	show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons.
twine	1.10.0	<2.0.0	show Twine 2.0.0 updates requests to 2.20 (or later) to include a security fix.

dependabot/pip/pip-19.2

3 years, 11 months ago

ad7d33e7

Bump pip from 9.0.1 to 19.2 Bumps [pip](https://github.com/pypa/pip) from 9.0.1 to 19.2. - [Release

pip 19.2, Sphinx 1.7.1 and twine 1.10.0 have known security vulnerabilities.

Package	Installed	Affected	Info
pip	19.2	<23.3	show Affected versions of Pip are vulnerable to Command Injection. When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.
pip	19.2	<21.1	show A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity.
pip	19.2	<21.1	show An issue was discovered in Pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). A warning was added about this behavior in version 21.1. NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.
pip	19.2	<21.1	show Pip 21.1 updates its dependency 'urllib3' to v1.26.4 due to security issues.
pip	19.2	<25.0	show Pip solves a security vulnerability that previously allowed maliciously crafted wheel files to execute unauthorized code during installation.
Sphinx	1.7.1	<3.0.4	show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons.
Sphinx	1.7.1	<3.3.0	show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in inventory. https://github.com/sphinx-doc/sphinx/issues/8175 https://github.com/sphinx-doc/sphinx/commit/f7b872e673f9b359a61fd287a7338a28077840d2
Sphinx	1.7.1	<3.3.0	show Sphinx 3.3.0 includes a fix for a ReDoS vulnerability in docstring. https://github.com/sphinx-doc/sphinx/issues/8172 https://github.com/sphinx-doc/sphinx/commit/f00e75278c5999f40b214d8934357fbf0e705417
Sphinx	1.7.1	<3.0.4	show Sphinx 3.0.4 updates jQuery version from 3.4.1 to 3.5.1 for security reasons.
twine	1.10.0	<2.0.0	show Twine 2.0.0 updates requests to 2.20 (or later) to include a security fix.

master

6 years, 7 months ago