[Snyk] Security upgrade django from 3.1.4 to 2.2.25 #4

Open

arno.birchler wants to merge 1 commit from snyk-fix-d64dfef9ae1ef5fc4b31bb746c2a2f5b into master

pull from: snyk-fix-d64dfef9ae1ef5fc4b31bb746c2a2f5b

merge into: self-healing-infrastructure:master

self-healing-infrastructure:master

self-healing-infrastructure:snyk-fix-bd4504afbed2866939cb6ff6c8ff3f2e

self-healing-infrastructure:snyk-fix-e4fa1bff630bb85974b25f2abc1ab9ed

self-healing-infrastructure:snyk-fix-e77e5e66cdd809fb229efdc874b6b935

self-healing-infrastructure:snyk-fix-67b227d3fa4cb96935bdf5908f02b622

self-healing-infrastructure:snyk-fix-17c97c82abefd3624d1424a5da220122

self-healing-infrastructure:snyk-fix-c929b32ee9385cb9d968c5e044306108

self-healing-infrastructure:snyk-fix-fdc6ccf64e9902d76e1b9fc52d7cbef0

self-healing-infrastructure:snyk-fix-cba4473da2480e812be90aaca918d557

self-healing-infrastructure:snyk-fix-b180755e1e6231a13402296c54427493

self-healing-infrastructure:develop

self-healing-infrastructure:snyk-fix-67c74d7039a8e48a7cc152bdc758d1d3

self-healing-infrastructure:feature/validate-compose

Conversation 0 Commits 1 Files changed 1 +1 -1

arno.birchler commented 2021-12-11 10:25:45 +00:00 (Migrated from gitlab.com)

Copy link

Snyk has created this PR to fix one or more vulnerable packages in the `pip` dependencies of this project.

Changes included in this Merge Request

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • requirements.txt

⚠️ Warning

django-health-check 3.16.5 requires django, which is not installed.
django-dbbackup 3.3.0 requires Django, which is not installed.

Vulnerabilities that will be fixed

By pinning:

Severity	Priority Score (*)	Issue	Upgrade	Breaking Change	Exploit Maturity
	551/1000 Why? Recently disclosed, Has a fix available, CVSS 5.3	Access Restriction Bypass SNYK-PYTHON-DJANGO-2312875	django: 3.1.4 -> 2.2.25	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.

Check the changes in this Merge Request to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

<h3>Snyk has created this PR to fix one or more vulnerable packages in the `pip` dependencies of this project.</h3> #### Changes included in this Merge Request - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - requirements.txt <details> <summary>⚠️ <b>Warning</b></summary> ``` django-health-check 3.16.5 requires django, which is not installed. django-dbbackup 3.3.0 requires Django, which is not installed. ``` </details> #### Vulnerabilities that will be fixed ##### By pinning: Severity | Priority Score (*) | Issue | Upgrade | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------|:-------------------------  | **551/1000** <br/> **Why?** Recently disclosed, Has a fix available, CVSS 5.3 | Access Restriction Bypass <br/>[SNYK-PYTHON-DJANGO-2312875](https://snyk.io/vuln/SNYK-PYTHON-DJANGO-2312875) | `django:` <br> `3.1.4 -> 2.2.25` <br> | No | No Known Exploit (*) Note that the real score may have changed since the PR was raised. Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded. Check the changes in this Merge Request to ensure they won't cause issues with your project. ------------ **Note:** *You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.* For more information: <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiI0MTBiMzJlNC01OGE3LTQ3ZjMtYmE0NS0wZDQ2MjIxYTI3ODkiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6IjQxMGIzMmU0LTU4YTctNDdmMy1iYTQ1LTBkNDYyMjFhMjc4OSJ9fQ==" width="0" height="0"/> 🧐 [View latest project report](https://app.snyk.io/org/arnobirchler/project/f12b01b7-4014-4eb1-9519-9384068cbae1?utm_source&#x3D;gitlab&amp;utm_medium&#x3D;referral&amp;page&#x3D;fix-pr) 🛠 [Adjust project settings](https://app.snyk.io/org/arnobirchler/project/f12b01b7-4014-4eb1-9519-9384068cbae1?utm_source&#x3D;gitlab&amp;utm_medium&#x3D;referral&amp;page&#x3D;fix-pr/settings) 📚 [Read more about Snyk's upgrade and patch logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities) [//]: # (snyk:metadata:{"prId":"410b32e4-58a7-47f3-ba45-0d46221a2789","prPublicId":"410b32e4-58a7-47f3-ba45-0d46221a2789","dependencies":[{"name":"django","from":"3.1.4","to":"2.2.25"}],"packageManager":"pip","projectPublicId":"f12b01b7-4014-4eb1-9519-9384068cbae1","projectUrl":"https://app.snyk.io/org/arnobirchler/project/f12b01b7-4014-4eb1-9519-9384068cbae1?utm_source=gitlab&utm_medium=referral&page=fix-pr","type":"auto","patch":[],"vulns":["SNYK-PYTHON-DJANGO-2312875"],"upgrade":[],"isBreakingChange":false,"env":"prod","prType":"fix","templateVariants":["updated-fix-title","pr-warning-shown","priorityScore"],"priorityScoreList":[551]})

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin snyk-fix-d64dfef9ae1ef5fc4b31bb746c2a2f5b:snyk-fix-d64dfef9ae1ef5fc4b31bb746c2a2f5b

git switch snyk-fix-d64dfef9ae1ef5fc4b31bb746c2a2f5b

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch master

git merge --no-ff snyk-fix-d64dfef9ae1ef5fc4b31bb746c2a2f5b

git switch snyk-fix-d64dfef9ae1ef5fc4b31bb746c2a2f5b

git rebase master

git switch master

git merge --ff-only snyk-fix-d64dfef9ae1ef5fc4b31bb746c2a2f5b

git switch snyk-fix-d64dfef9ae1ef5fc4b31bb746c2a2f5b

git rebase master

git switch master

git merge --no-ff snyk-fix-d64dfef9ae1ef5fc4b31bb746c2a2f5b

git switch master

git merge --squash snyk-fix-d64dfef9ae1ef5fc4b31bb746c2a2f5b

git switch master

git merge --ff-only snyk-fix-d64dfef9ae1ef5fc4b31bb746c2a2f5b

git switch master

git merge snyk-fix-d64dfef9ae1ef5fc4b31bb746c2a2f5b

git push origin master

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

self-healing-infrastructure/core!4

No description provided.