sendgrid
CVE for dependency werkzeug. Sendgrid requires <3.0.0, CVE requires >= 3.0.3
Hi,
The following CVE popped up for us in one of our containers. It is coming in from sendgrid's reliance on werkzeug. I wondered if there was a plan to update the dep for this on you end?
https://github.com/advisories/GHSA-2g68-c3qc-8985
Many thanks, Riz
You should be able to upgrade it on your end. It isn't pinned to a specific version here. This will be based on what python version you are using though. [^1]
[
"werkzeug>=0.11.15,<1.0.0 ; python_version < '3.0'",
"werkzeug>=0.15.0,<2.0.0 ; python_version >= '3.0' and python_version < '3.7'",
"werkzeug>=0.15.0,<2.3.0 ; python_version >= '3.0' and python_version < '3.8'", # version 2.3.0 dropped support for Python 3.7
"werkzeug>=0.16.0,<3.1.0 ; python_version >= '3.0' and python_version < '3.9'", # version 3.1.0 dropped support for Python 3.8
"werkzeug>=1.0.0 ; python_version >= '3.9'",
"werkzeug>=2.2.0 ; python_version >= '3.11'",
"werkzeug>=2.3.5 ; python_version >= '3.12'"
]
For python versions greater than 3.8, there is no max version cap. IE, you can upgrade to the latest minor / patch version.
If you are using an older python version, you will likely need to upgrade.
[^1]: I am not a maintainer or contributor of this package. Just stumbled upon this issue as I was going through other security things
You should be able to upgrade it on your end. It isn't pinned to a specific version here. This will be based on what python version you are using though. 1
[ "werkzeug>=0.11.15,<1.0.0 ; python_version < '3.0'", "werkzeug>=0.15.0,<2.0.0 ; python_version >= '3.0' and python_version < '3.7'", "werkzeug>=0.15.0,<2.3.0 ; python_version >= '3.0' and python_version < '3.8'", # version 2.3.0 dropped support for Python 3.7 "werkzeug>=0.16.0,<3.1.0 ; python_version >= '3.0' and python_version < '3.9'", # version 3.1.0 dropped support for Python 3.8 "werkzeug>=1.0.0 ; python_version >= '3.9'", "werkzeug>=2.2.0 ; python_version >= '3.11'", "werkzeug>=2.3.5 ; python_version >= '3.12'" ]
For python versions greater than 3.8, there is no max version cap. IE, you can upgrade to the latest minor / patch version.
If you are using an older python version, you will likely need to upgrade.
Footnotes
1. I am not a maintainer or contributor of this package. Just stumbled upon this issue as I was going through other security things [↩](#user-content-fnref-1-135f412b7bd8bb70ef722562f916b983)
Looks like there's no release with these changes yet though, but I assume one is coming
Yes, sorry. The latest version requires you to be using python 3.11 or higher, to be able to upgrade. (Although, FYI, werkzeug has https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j if you are really worried about CVEs. And idk your use case fully.)
Thanks. We are forced to use python 3.10 for "reasons" unfortunately. When I look at the lock file, looks like send grid does pin to version < 3 for python < 3.11
However if I downgrade send grid to 6.11.0 then I can pin to a higher version of Werkzeug which is unexpected.
Anyway, this particular cve not a big deal for us so can ignore, just trying to be a good citizen.
Thanks for the pointers, much appreciated!
Hi! If you can raise a PR for this I can review it and merge. Thanks!
