Hello Apache Airflow team, I am a graduate student researching software security. While analyzing PyPI packages, I found that your package apache-airflow-backport-providers-mongo reuses code from pache-airflow-providers-mongo-1.0.0.
Package alerta-server has a known vulnerability CVE-2024-25141. Reference: https://osv.dev/vulnerability/CVE-2024-25141 It seems that the vulnerable code has not been patched in apache-airflow-backport-providers-mongo. I recommend checking the commit history of apache-airflow-providers-mongo-1.0.0 where the issue was fixed and applying the same patch to your package. Best regards, Sunha Park Korea University Dept. of Computer Science and Engineering / M.S student LAB https://ssp.korea.ac.kr Email sun...@korea.ac.kr​
