You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Advisory GHSA-q4h9-7rxj-7gx2 reports a Netty vulnerability against the Lettuce artifact. This is a false positive report for Lettuce artifacts.
The advisory asserts that the Lettuce package is vulnerable only because it expresses a dependency on a vulnerable version of Netty -- but Lettuce itself does not have this vulnerability: it does not actually package or shade the vulnerable Netty code. The Netty vulnerability already has its own CVE/advisory. As a result, this advisory incorrectly results in tools like Dependabot flagging the usage of Lettuce even when a consuming project has otherwise overridden or excluded an actually-vulnerable Netty transitive dependency version.
Please retract the advisory reported against the lettuce artifacts, the existing advisory against actually-affected Netty artifacts is already sufficient for detection.
The text was updated successfully, but these errors were encountered:
Bug Report
(Reported upstream at github/advisory-database#5116 but they sent me here 😄 )
Advisory GHSA-q4h9-7rxj-7gx2 reports a Netty vulnerability against the Lettuce artifact. This is a false positive report for Lettuce artifacts.
The advisory asserts that the Lettuce package is vulnerable only because it expresses a dependency on a vulnerable version of Netty -- but Lettuce itself does not have this vulnerability: it does not actually package or shade the vulnerable Netty code. The Netty vulnerability already has its own CVE/advisory. As a result, this advisory incorrectly results in tools like Dependabot flagging the usage of Lettuce even when a consuming project has otherwise overridden or excluded an actually-vulnerable Netty transitive dependency version.
Please retract the advisory reported against the lettuce artifacts, the existing advisory against actually-affected Netty artifacts is already sufficient for detection.
The text was updated successfully, but these errors were encountered: