pyupio
False positives related to celery and sub depencies
Recent reports seem to indicate false positive related to celery.
https://pyup.io/repos/github/crim-ca/weaver/commits/?page=1#0d9d2e845c11a48a39cab0a73962ce87dae6428f
| Package | Installed | Affected | Info |
|---|---|---|---|
| celery | 3.1.26.post2 | <5.2.0 | Celery 5.2.0 updates 'kombu' to v5.2.1, which includes dependencies updates that resolve security issues. |
I actually have version 4.4.2 pinned (as shown below) for quite a long time.
https://github.com/crim-ca/weaver/commit/4370852a5b27d3bfafd96f9e3df580f3c6d3da54
celery[mongodb]==4.4.2; sys_platform != "win32"
I only started getting issues last week (due to 5.2.x release), but it seems broken because my builds are not even able to find those versions on pypi.
Anyway, the "installed" version is completely wrong, so something bad must be happening.
Because I'm not even on the same major version, it is really hard for me to know if this is an actual security issue or just a detection problem on pyup side.
