1. Summary
The dependency py of Interrogate has the known vulnerability PYSEC-2022-42969.
2. Steps to reproduce
I checked vulnerabilities of Interrogate use pip-audit:
pipenv install --dev interrogate pip-audit
pipenv run pip-audit --aliases on --desc on --verbose
Result:
Found 1 known vulnerability in 1 package
Name Version ID Fix Versions Aliases Description
---- ------- ---------------- ------------ ----------------------------------- ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
py 1.11.0 PYSEC-2022-42969 GHSA-w596-4wvx-j9j6, CVE-2022-42969 The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
3. py status
py documentation:
NOTE: this library is in maintenance mode and should not be used in new code.
The message from the developer of py from April 2023
Note that py is pretty much unmaintained at this point (see #288). You might want to find out why you're using it, and migrate away from it.
“Plan for dropping/deprecating submodules of py and releasing v2.0”:
py.io
Might want to raise deprecation warnings telling people to use rich or something.
It seems it would be nice if Interrogate will migrate from py to an actively maintained alternative.
Thanks.
1. Summary
The dependency
pyof Interrogate has the known vulnerability PYSEC-2022-42969.2. Steps to reproduce
I checked vulnerabilities of Interrogate use pip-audit:
Result:
3.
pystatuspydocumentation:The message from the developer of
pyfrom April 2023“Plan for dropping/deprecating submodules of
pyand releasing v2.0”:It seems it would be nice if Interrogate will migrate from
pyto an actively maintained alternative.Thanks.