chore(deps): [database-archival] Update dependency flask-appbuilder to v4.5.1 [SECURITY] #143
Conversation
…o v4.5.1 [SECURITY]
![code-review-assist[bot]](https://avatars.githubusercontent.com/in/1008254?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hi team,
I'm currently reviewing this pull request and will provide my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly understand the changes:
This pull request, submitted by Renovate Bot, updates the flask-appbuilder dependency in the database-archival project from version 4.5.0 to 4.5.1. This is a security update addressing CVE-2024-45314, which involves a vulnerability in the default cache directives of the authentication database login form that could allow sensitive data to be stored locally in the browser.
Here's a breakdown of the changes:
- Intent: Address a security vulnerability (CVE-2024-45314) in
flask-appbuilder. - Changes: The
requirements.txtfile in theprojects/database-archivaldirectory has been modified to updateflask-appbuilderto version 4.5.1. The specific change is updating the version number and associated hash in lines 579-581 ofrequirements.txt:
--- a/projects/database-archival/requirements.txt
+++ b/projects/database-archival/requirements.txt
@@ -576,9 +576,9 @@ flask==2.2.5 \
# flask-sqlalchemy
# flask-wtf
# functions-framework
-flask-appbuilder==4.5.0 \
- --hash=sha256:0a8439fe9391d71cbbd64a149b5bb04c90cb4c344e4e3250316f59720b73579d \
- --hash=sha256:f85866bd1b25d5edd5de793c102bb14ee1ccf7623983f92e9037430fed2a269b
+Flask-AppBuilder==4.5.1 \
+ --hash=sha256:4b61267d880299915951c6cd120856e107344cee8a11be832725c21f9bdc5f59 \
+ --hash=sha256:a53116ac26f276ac206fb549d5e23bcfb49612cccfd52da984af7951758e6eb0
# via apache-airflow-providers-fab
flask-babel==2.0.0 \
--hash=sha256:e6820a052a8d344e178cdd36dd4bb8aea09b4bda3d5f9fa9f008df2c7f2f5468 \- Activity: The pull request was automatically generated by Renovate Bot.
Let me know if you have any questions.
A tiny verse, a coding plea,
Security first, you'll agree.
A simple fix, a patch applied,
Safe code flows, our fears subside.
There was a problem hiding this comment.
This pull request updates the flask-appbuilder dependency to version 4.5.1, which addresses a security vulnerability (CVE-2024-45314). The update is necessary and the PR is well-formatted with clear explanations of the change, impact, and release notes. The inclusion of SHA256 hashes is good practice. One small suggestion for improvement would be to add a test to verify the fix for CVE-2024-45314 if feasible.
This PR contains the following updates:
==4.5.0->==4.5.1GitHub Vulnerability Alerts
CVE-2024-45314
Impact
Auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources.
Patches
Upgrade flask-appbuilder to version 4.5.1
Workarounds
If upgrading is not possible configure your web server to send the following HTTP headers for /login:
"Cache-Control": "no-store, no-cache, must-revalidate, max-age=0"
"Pragma": "no-cache"
"Expires": "0"
Release Notes
dpgaspar/flask-appbuilder (flask-appbuilder)
v4.5.1Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.