yfinance icon indicating copy to clipboard operation
yfinance copied to clipboard
verified publisher icon ranaroussi

fix(sec): upgrade lxml to 4.9.1

Open chncaption opened this issue 3 years ago • 4 comments

What happened?

There are 1 security vulnerabilities found in lxml 4.5.1

What did I do?

Upgrade lxml from 4.5.1 to 4.9.1 for vulnerability fix

What did you expect to happen?

Ideally, no insecure libs should be used.

The specification of the pull request

PR Specification from OSCS

chncaption avatar Nov 28 '22 02:11 chncaption

I had a look into automated solutions. Two exist - also Python modules - but neither can handle the >= in requirements.txt:

  • safety
  • pip-audit

safety developers claim to have a release imminent that will address. But until then, manual checks needed.

ValueRaider avatar Nov 28 '22 16:11 ValueRaider

Actually, yfinance doesn't use lxml anymore. Will remove it.

ValueRaider avatar Dec 02 '22 11:12 ValueRaider

Resolved by removing lxml - #1231

ValueRaider avatar Dec 12 '22 22:12 ValueRaider

So removing lxml was wrong. Now restored and minimum version raised. Thanks @chncaption for alerting this problem.

ValueRaider avatar Dec 13 '22 15:12 ValueRaider