mapchete icon indicating copy to clipboard operation
mapchete copied to clipboard
verified publisher icon ungarj

Could you help upgrade the vulnerble dependency in mapchete ?

Open JoeGardner000 opened this issue 3 years ago • 1 comments

Hi, @ungarj , I'd like to report a vulnerability issue in mapchete_2022.4.0.

Issue Description

I noticed that mapchete_2022.4.0 directly depends on rasterio_1.2.10. However, rasterio_1.2.10 sufferes from the vulnerabilites which the C libraries exposed as following dependency graph shows.

Dependency Graph between Python and Shared Libraries

image (11)

Suggested Vulnerability Patch Versions

rasterio has upgraded these vulnerable C libraries to patch versions refer to issue url.

Python build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Python projects. As a popular python package (mapchete has 7,993 downloads per month), could you please upgrade this vulnerable dependency?

Thanks for your help~ Best regards, Joe Gardner

JoeGardner000 avatar Apr 10 '22 12:04 JoeGardner000

Thanks @JoeGardner000, I'll update the rasterio dependency once version 1.3.0 is out!

ungarj avatar Apr 11 '22 11:04 ungarj