CVE for dependency werkzeug. Sendgrid requires <3.0.0, CVE requires >= 3.0.3

[chdryra]

Hi,

The following CVE popped up for us in one of our containers. It is coming in from sendgrid's reliance on werkzeug. I wondered if there was a plan to update the dep for this on you end?

GHSA-2g68-c3qc-8985

Many thanks,
Riz

[CoderJoshDK]

You should be able to upgrade it on your end. It isn't pinned to a specific version here. This will be based on what python version you are using though. ¹

[
"werkzeug>=0.11.15,<1.0.0 ; python_version < '3.0'",
"werkzeug>=0.15.0,<2.0.0 ; python_version >= '3.0' and python_version < '3.7'",
"werkzeug>=0.15.0,<2.3.0 ; python_version >= '3.0' and python_version < '3.8'", # version 2.3.0 dropped support for Python 3.7
"werkzeug>=0.16.0,<3.1.0 ; python_version >= '3.0' and python_version < '3.9'", # version 3.1.0 dropped support for Python 3.8
"werkzeug>=1.0.0 ; python_version >= '3.9'",
"werkzeug>=2.2.0 ; python_version >= '3.11'",
"werkzeug>=2.3.5 ; python_version >= '3.12'"
]

For python versions greater than 3.8, there is no max version cap. IE, you can upgrade to the latest minor / patch version.

If you are using an older python version, you will likely need to upgrade.

Footnotes

1. I am not a maintainer or contributor of this package. Just stumbled upon this issue as I was going through other security things ↩

[williamhakim10]

You should be able to upgrade it on your end. It isn't pinned to a specific version here. This will be based on what python version you are using though. 1

[
"werkzeug>=0.11.15,<1.0.0 ; python_version < '3.0'",
"werkzeug>=0.15.0,<2.0.0 ; python_version >= '3.0' and python_version < '3.7'",
"werkzeug>=0.15.0,<2.3.0 ; python_version >= '3.0' and python_version < '3.8'", # version 2.3.0 dropped support for Python 3.7
"werkzeug>=0.16.0,<3.1.0 ; python_version >= '3.0' and python_version < '3.9'", # version 3.1.0 dropped support for Python 3.8
"werkzeug>=1.0.0 ; python_version >= '3.9'",
"werkzeug>=2.2.0 ; python_version >= '3.11'",
"werkzeug>=2.3.5 ; python_version >= '3.12'"
]

For python versions greater than 3.8, there is no max version cap. IE, you can upgrade to the latest minor / patch version.

If you are using an older python version, you will likely need to upgrade.

Footnotes

1. I am not a maintainer or contributor of this package. Just stumbled upon this issue as I was going through other security things [↩](#user-content-fnref-1-135f412b7bd8bb70ef722562f916b983)

Looks like there's no release with these changes yet though, but I assume one is coming

[CoderJoshDK]

Yes, sorry. The latest version requires you to be using python 3.11 or higher, to be able to upgrade. (Although, FYI, werkzeug has GHSA-f9vj-2wh5-fj8j if you are really worried about CVEs. And idk your use case fully.)

[chdryra]

Thanks. We are forced to use python 3.10 for "reasons" unfortunately. When I look at the lock file, looks like send grid does pin to version < 3 for python < 3.11

However if I downgrade send grid to 6.11.0 then I can pin to a higher version of Werkzeug which is unexpected.

Anyway, this particular cve not a big deal for us so can ignore, just trying to be a good citizen.

Thanks for the pointers, much appreciated!