bug(security): the known vulnerability PYSEC-2022-42969 in the `py` dependency

[Kristinita]

1. Summary

The dependency py of Interrogate has the known vulnerability PYSEC-2022-42969.

2. Steps to reproduce

I checked vulnerabilities of Interrogate use pip-audit:

pipenv install --dev interrogate pip-audit

pipenv run pip-audit --aliases on --desc on --verbose

Result:

Found 1 known vulnerability in 1 package
Name Version ID               Fix Versions Aliases                             Description
---- ------- ---------------- ------------ ----------------------------------- ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
py   1.11.0  PYSEC-2022-42969              GHSA-w596-4wvx-j9j6, CVE-2022-42969 The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

3. py status

py documentation:

NOTE: this library is in maintenance mode and should not be used in new code.

The message from the developer of py from April 2023

Note that py is pretty much unmaintained at this point (see #288). You might want to find out why you're using it, and migrate away from it.

“Plan for dropping/deprecating submodules of py and releasing v2.0”:

py.io

Might want to raise deprecation warnings telling people to use rich or something.

It seems it would be nice if Interrogate will migrate from py to an actively maintained alternative.

Thanks.