Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency werkzeug to v3.0.6 [security] #2334

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 26, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
Werkzeug (changelog) 3.0.4 -> 3.0.6 age adoption passing confidence

Review

  • Updates have been tested and work
  • If updates are AWS related, versions match the infrastructure (e.g. Lambda runtime, database, etc.)

GitHub Vulnerability Alerts

CVE-2024-49766

On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.

CVE-2024-49767

Applications using Werkzeug to parse multipart/form-data requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the Request.max_form_memory_size setting.

The Request.max_content_length setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.


Configuration

📅 Schedule: Branch creation - "" in timezone America/Montreal, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Copy link
Contributor Author

renovate bot commented Oct 26, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: poetry.lock
Updating dependencies
Resolving dependencies...

Creating virtualenv notification-api-Nm9E1q_n-py3.10 in /home/ubuntu/.cache/pypoetry/virtualenvs

Because notifications-utils (52.3.6) @ git+https://github.com/cds-snc/[email protected] depends on both werkzeug (3.0.4) and werkzeug (3.0.4), werkzeug is required.
So, because notification-api depends on Werkzeug (3.0.6), version solving failed.

@renovate renovate bot added dependencies Pull requests that update a dependency file Renovate labels Oct 26, 2024
@renovate renovate bot force-pushed the renovate/pypi-werkzeug-vulnerability branch 6 times, most recently from 7bd31ea to bf769ef Compare October 31, 2024 17:31
@renovate renovate bot force-pushed the renovate/pypi-werkzeug-vulnerability branch 7 times, most recently from 252f095 to 3a7edb3 Compare November 8, 2024 18:23
@renovate renovate bot force-pushed the renovate/pypi-werkzeug-vulnerability branch 7 times, most recently from 216258d to a23ac2a Compare November 14, 2024 15:36
@renovate renovate bot force-pushed the renovate/pypi-werkzeug-vulnerability branch from a23ac2a to 45eb72e Compare November 14, 2024 20:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file Renovate
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants