Known vulnerability in outdated pgx dependency, pgproto3-1.1.0 #182
Comments
It's a false alarm. It appears the "Sonatype OSS Index" does not distinguish between test and non-test dependencies. pgtype only uses pgx in tests.
If this vulnerability scanner has the same flaws as others it won't be satisfied. pgx depends on pgtype and pgtype's tests depend on pgx. This causes problems for scanners that naively follow the test dependency chain. See jackc/pgx#1052 for more info. |
|
I see. Looking closer at it I can confirm that you're absolutely right! I'll close the issue! |
The latest version of pgtype, 1.12.0, relies on an outdated version of pgx, version 4.12. It uses the pgproto3 v1.1.0.
The latest stable pgx version is 4.17, with pgproto3 v2.3.1
The Sonatype OSS Index determines the former version of pgproto to contain a "medium" grave vulnerability due to unrestricted resource consumption.
This seems to be resolvable by upgrading pgx to a more recent version.
The text was updated successfully, but these errors were encountered: