Hi Diane, On Sat, Jun 06, 2026 at 03:53:43PM -0700, Diane Trout wrote: > On Sat, 2026-06-06 at 23:01 +0200, Salvatore Bonaccorso wrote: > > > > This is likely a non-issue. Cf. > > https://github.com/dask/dask/issues/12403#issuecomment-4640315993 > > > > I wondered about that comment too. > > I did subscribe to the bug, on the chance upstream decides to > incorporate a fix. > > The discussion seems to imply it's a currently a fairly low risk and > mostly would lead to performance issues or resource exhaustion.
Thanks for your quick followup. I have marked the issue as no-dsa, because the risks is indeed fairly low. I wonder what upstream aims to do if they consider the CVE invalid, or just low risk and will fix it at some point. In the later case we can then simply update to the verion incorporating the fix and as well further ignore stable for it. Let me know about your thoughts. Regards, Salvatore
