dpgaspar commented on PR #22355: URL: https://github.com/apache/superset/pull/22355#issuecomment-1355042508
Seeing that https://github.com/advisories/GHSA-7wxw-4483-3m34 is a disputed CVE, and only occurs when running Flask with the provided dev server, something you should never do on production for several reasons. regarding flask-caching I don't see on the CVE any submitted patches, https://github.com/advisories/GHSA-656c-6cxf-hvcv. This CVE is disputed also, since an attacked would have to be able to write to the cache itself, something that would cause severe issues all around not just by deserializing content with Pickle. Can you please just bump Pillow and resolve the current PR conflicts? Thank you -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
