-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump starlette version #1114
Comments
You can see details here: https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238 |
A quick summary of where things are at the moment:
If we were to require >=0.36.2, then those who are using older versions of Connect will be unable to run Shiny for Python apps. The upgrade cycle time for Connect in organizations is often longer, on the scale of 6-12 months. We will update this issue as we decide how to move ahead. |
It looks like the underlying issue is in However, even though that change to python-multipart fixes the DoS issue, the Starlette advisory still exists and apparently can't be deleted (Kludex/python-multipart#75 (comment)). That means that if we add a So we can do the following:
|
Hi!
Could you please bump starlette? It is currently locked at
starlette = ">=0.17.1,<0.35.0"
There is a ReDoS vulnerability in versions of starlette lower than 36.2.
Thanks in advance!
The text was updated successfully, but these errors were encountered: