Problem
The runtime dependency floors are extremely loose:
dependencies = [
'aiohttp (>=3.0.0)', # 2018-era; many CVEs
'awesomeversion (>=22.1.0)',
'python-backoff (>=2.3.1)',
'mashumaro (>=3.13,<4.0.0)',
'orjson (>=3.9.8)',
'yarl (>=1.6.0)', # < 1.18.0 has CVE-2024-52304 (URL parsing)
]
aiohttp >= 3.0.0 allows downstream installs to resolve to versions affected by CVE-2024-23334 (path traversal), CVE-2024-30251 (DoS via crafted POST), CVE-2024-52304 / CVE-2024-52303 (request smuggling and parser issues), and others. yarl >= 1.6.0 allows pre-1.18 versions vulnerable to CVE-2024-52304 (host parsing/Unicode normalization), which is directly relevant because this library passes user-supplied host strings into yarl.URL.build(). Because this package is published to PyPI ([project.scripts] wled = "wled.cli:cli"), every consumer can end up with vulnerable transitive deps.
Why This Matters
Supply-chain risk: a consumer of wled may unknowingly resolve to a vulnerable aiohttp/yarl, exposing them to known and patched CVEs. The library's own development lockfile uses recent versions, but published metadata is what end users get.
Suggested Fix
Raise the floors to versions with the relevant CVEs fixed, e.g.:
'aiohttp (>=3.10.11)',
'yarl (>=1.18.0)',
'orjson (>=3.10.7)',
Consider also upper bounds (or ~=) for major releases to avoid surprise breakage, and add a recurring dependency-review job (the repo already has dependency-review.yaml — extend it to fail PRs that lower these floors).
Details
|
|
| Severity |
🟡 Medium |
| Category |
dependency |
| Location |
pyproject.toml:32-39 |
| Effort |
⚡ Quick fix |
🤖 Created by Kōan from audit session
Problem
The runtime dependency floors are extremely loose:
aiohttp >= 3.0.0allows downstream installs to resolve to versions affected by CVE-2024-23334 (path traversal), CVE-2024-30251 (DoS via crafted POST), CVE-2024-52304 / CVE-2024-52303 (request smuggling and parser issues), and others.yarl >= 1.6.0allows pre-1.18 versions vulnerable to CVE-2024-52304 (host parsing/Unicode normalization), which is directly relevant because this library passes user-suppliedhoststrings intoyarl.URL.build(). Because this package is published to PyPI ([project.scripts] wled = "wled.cli:cli"), every consumer can end up with vulnerable transitive deps.Why This Matters
Supply-chain risk: a consumer of
wledmay unknowingly resolve to a vulnerable aiohttp/yarl, exposing them to known and patched CVEs. The library's own development lockfile uses recent versions, but published metadata is what end users get.Suggested Fix
Raise the floors to versions with the relevant CVEs fixed, e.g.:
Consider also upper bounds (or
~=) for major releases to avoid surprise breakage, and add a recurring dependency-review job (the repo already hasdependency-review.yaml— extend it to fail PRs that lower these floors).Details
pyproject.toml:32-39🤖 Created by Kōan from audit session