Conversation
|
Hi Fabian, Thank you for the patch! According to GHSA-v6wp-4m6f-gcjg, CVE-2021-21330 is a vulnerability in the aiohttp HTTP server middleware. python-smarttub only uses aiohttp.ClientSession, so I don't think this vulnerability applies to this library. |
|
Good to know that CVE-2021-21330 is not an issue. For the distribution packages (e.g., NixOS) it would still require that the constraint is relaxed. |
|
Can you help me understand why a change is required for NixOS? The current dependency spec is compatible with 3.7.4. |
|
Because NIxOS and other distributions are shipping aiohttp 3.7.4 or later already. The current constraint prevent one from using 3.8.0 and make the build fail. Home Assistant has moved to aiohttp 3.8.0. The HA requirements have priority in the
Yes, it is but not with 3.8.0 and above. |
|
I see, thank you. I'll get this merged and released once I figure out how to cause the CI checks to run |
|
For some reason, the CI checks aren't running, nor is there a prompt for approval to run them. I'll submit the changes under a new PR |
|
See #19 and home-assistant/core#60391 |
|
Thanks |
aiohttp-3.8.0was released a while ago.aiohttp >= 3.7.4to avoid CVE-2021-21330