You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When running pipenv run safety check --full-report with base image cimg/python:3.7.7 in a CircleCI job, getting security finding below:
#!/bin/bash -eo pipefail
pipenv run safety check --full-report
safety report
checked 39 packages, using free DB (updated once a month)
---
-> pip, installed 20.1.1, affected <21.1, id 40291
Pip 21.1 stops splitting on unicode separators in git references, which could be maliciously used to install a different revision on the repository. See: <https://github.com/pypa/pip/issues/9827>. Additionally, pip 21.1 updates urllib3 to 1.26.4 to fix CVE-2021-28363.
--
Exited with code exit status 255
CircleCI received exit code 255
Able to workaround this by running command pipenv run pip3 install --upgrade pip, but would like to see if pip can be upgraded.
The text was updated successfully, but these errors were encountered:
danhlee329
changed the title
Update pip Version for cimg/python:3.7.7
Update 'pip' Version for cimg/python:3.7.7May 4, 2021
danhlee329
changed the title
Update 'pip' Version for cimg/python:3.7.7
Update pip Version for cimg/python:3.7.7May 4, 2021
We wouldn't update the image. So either you need to update it yourself, as mentioned, or use a newer Python image which would contain a newer pip version.
When running
pipenv run safety check --full-report
with base imagecimg/python:3.7.7
in a CircleCI job, getting security finding below:Able to workaround this by running command
pipenv run pip3 install --upgrade pip
, but would like to see ifpip
can be upgraded.The text was updated successfully, but these errors were encountered: