fix(general): asteval to version 1.0.6 #7142
Conversation
|
This change is particularly important as it addresses CVE-2025-24359. |
|
@gruebel can you please take a look at this security update? |
|
@bo156 can you please take a look at this change? |
|
Can anyone take this seriously? |
|
Bump! As it was mentioned on this PR before, updating "asteval" to "1.0.6" addresses an important security concern. This will positively impact all the checkov users that work in highly regulated environments. Thank you for all your hard work, we need this update to manage our supply chain vulnerabilities. |
|
It seems that there are some conflicts to resolve, it I can’t see for which files in the web UI |
|
@echoix If it's anything other than the Pipfile.lock causing the issue, I'd be surprised, given the difference in changes and overall nature of a lock file: The source branch likely needs to be rebased by a maintainer and a fresh lock file generated before this can be merged in. |
|
And so? |
|
I emailed psirt@paloaltonetworks.com again. I'm incredibly disappointed that checkov, which is itself security software, is completely ignoring this security finding. |
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Description
Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.
Fixes # (issue)
New/Edited policies (Delete if not relevant)
Description
Include a description of what makes it a violation and any relevant external links.
Fix
How does someone fix the issue in code and/or in runtime?
Checklist: