tpwo opened a new issue, #39279: URL: https://github.com/apache/beam/issues/39279
### What needs to happen? Hello, in our vulnerability tracking system we noticed that Beam Python SDK depends on `httplib2<0.32.0` which is reported with [CVE-2026-59939](https://cve.report/CVE-2026-59939): <img width="836" height="360" alt="CVE-2026-59939 as reported in vulnerability tracking system" src="https://github.com/user-attachments/assets/f79125f9-7bd3-4a83-b66d-2a74f0c256d2" /> To resolve it, we need to allow for newer versions of httplib2 here: https://github.com/apache/beam/blob/668c6a38f37191e9d5e92be939d9da7e18542a3c/sdks/python/setup.py#L424 httplib2 0.32.0 was released on Jun 26: https://pypi.org/project/httplib2/0.32.0/ Maybe it makes sense to have looser constraints here and do something like: ```diff -'httplib2>=0.8,<0.32.0', +'httplib2>=0.8,<1.0.0', ``` I'm marking this issue as P1, as CVE-2026-59939 is marked as High in our system, and it would be good to resolve it before the next release of Beam. ### Issue Priority Priority: 1 (urgent / mostly reserved for critical bugs) ### Issue Components - [x] Component: Python SDK - [ ] Component: Java SDK - [ ] Component: Go SDK - [ ] Component: Typescript SDK - [ ] Component: IO connector - [ ] Component: Beam YAML - [ ] Component: Beam examples - [ ] Component: Beam playground - [ ] Component: Beam katas - [ ] Component: Website - [ ] Component: Infrastructure - [ ] Component: Spark Runner - [ ] Component: Flink Runner - [ ] Component: Prism Runner - [ ] Component: Twister2 Runner - [ ] Component: Hazelcast Jet Runner - [ ] Component: Google Cloud Dataflow Runner -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
