Please excuse if this is misguided, but when testing for some vulnerabilities, I noticed some upgrades to dependencies may be required. I felt It should be raised.
Vulnerable transitive dependencies: cryptography and pyjwt
Description
A vulnerability scan using osv-scanner against semantic-link and semantic-link-labs identified 12 known vulnerabilities in two transitive dependencies.
Affected packages
| Package |
Installed |
Latest |
Vulnerabilities |
cryptography |
3.4.x |
46.0.6 |
11 (5 High, 2 Medium, 1 Low, 3 Unknown) |
pyjwt |
2.9.x |
2.12.1 |
1 (High, CVSS 7.5) |
CVEs / OSV IDs
Steps to reproduce
echo -e "semantic-link\nsemantic-link-labs" > requirements.txt
osv-scanner scan source --lockfile 'requirements.txt:./requirements.txt'
Suggested fix
Bump the minimum version constraints in the package dependencies:
cryptography >= 46.0.0pyjwt >= 2.12.0
Impact
Users running these packages locally or in managed environments such as Microsoft Fabric may be exposed to these vulnerabilities without any indication, as the vulnerable versions are pulled in transitively.
Please excuse if this is misguided, but when testing for some vulnerabilities, I noticed some upgrades to dependencies may be required. I felt It should be raised.
Vulnerable transitive dependencies:
cryptographyandpyjwtDescription
A vulnerability scan using
osv-scanneragainstsemantic-linkandsemantic-link-labsidentified 12 known vulnerabilities in two transitive dependencies.Affected packages
cryptographypyjwtCVEs / OSV IDs
Steps to reproduce
Suggested fix
Bump the minimum version constraints in the package dependencies:
cryptography >= 46.0.0pyjwt >= 2.12.0Impact
Users running these packages locally or in managed environments such as Microsoft Fabric may be exposed to these vulnerabilities without any indication, as the vulnerable versions are pulled in transitively.