False Positive for KeplerGL

[kopp]

installing keplergl via pip install keplergl raises the following warning:

+==============================================================================+ 
| REPORT | 
| checked 330 packages, using free DB (updated once a month) | 
+============================+===========+==========================+==========+ 
| package | installed | affected | ID | 
+============================+===========+==========================+==========+ 
| keplergl | 0.3.0 | <2.4.0 | 39211 | 
+==============================================================================+ 
| Keplergl 2.4.0 fixes several security vulnerabilities (9a13ce68). No details | 
| were provided. | 
+==============================================================================+ 

This is a false positive:
the pip package https://pypi.org/project/keplergl/ is currently at version 0.3.x.
On pypi it is linked to the parent repo containing the javascript code for kepler.gl which is currently at version 2.5.x.

The vulnerability check here is thus comparing the version of two different things which happen to live in the same repository.

The offending entry in the database seems to be:

"keplergl": [
        {
            "advisory": "Keplergl 2.4.0 fixes several security vulnerabilities (9a13ce68). No details were provided.",
            "cve": "PVE-2021-39211",
            "id": "pyup.io-39211",
            "specs": [
                "<2.4.0"
            ],
            "v": "<2.4.0"
        }
    ],

[SCH227]

@kopp thank you for the report! We corrected the specs of the advisory.