pybind11 icon indicating copy to clipboard operation
pybind11 copied to clipboard

Published 20 hours ago verified publisher icon pybind

[BUG]: CVE-2022-42969 being flagged in project using pybind

Open natke opened this issue 1 year ago • 1 comments

Required prerequisites

  • [X] Make sure you've read the documentation. Your issue may be addressed there.
  • [X] Search the issue tracker and Discussions to verify that this hasn't already been reported. +1 or comment there if it has.
  • [X] Consider asking first in the Gitter chat room or in a Discussion.

What version (or hash if on master) of pybind11 are you using?

v2.13.1

Problem description

The CVE in the title is getting flagged in my project, This CVE has been fixed in pytest 7.2.0. Is it possible to upgrade pytest in pybind?

Reproducible example code

Fetch content pybind in a cmake file.

The folder containing the pybind sources contains requirements.txt, which contains the line:

pytest~=7.0

https://github.com/pybind/pybind11/blob/master/tests/requirements.txt#L9

Is this a regression? Put the last known working version here if it is.

Not a regression

natke avatar Jul 17 '24 00:07 natke

The compatible release version specifier pytest~=7.0 allows 7.0 <= version < 8 which includes 7.2.0; if your security scanner is flagging things, it's buggy.

QuLogic avatar Nov 08 '24 07:11 QuLogic