On Fri, Oct 06, 2023 at 09:50:20PM +0200, Heinrich Schuchardt wrote: > On 10/6/23 03:41, Simon Glass wrote: > > On Thu, 5 Oct 2023 at 10:27, Tom Rini <tr...@konsulko.com> wrote: > > > > > > While not a direct issue for us, urllib3 before 1.26.17 is vulnerable to > > > CVE-2023-43804 to bump our version up. > > The same bug is also fixed in 2.0.6. Why should we stick with the old > series? I could not see any issues building the documentation locally > and on Github with 2.0.6.
There's probably a number of packages we could bump for similar reasons, if you'd like to unfreeze, build, check the output and refreeze. I'm just posting something to get Dependabot to be silenced since I get this whenever I push a branch. -- Tom
signature.asc
Description: PGP signature
