[CVE-2024-35195] Security issue with requests python library

[danitico]

Good afternoon Vespa team,

Our dependabot is leveraging a issue with the requests library and it recommends to update it to version 2.32.0. However, this project only allows to update that library to version 2.31.0.

When trying to install the patched version, we get the following error:

Because your-project depends on pyvespa (0.49.0) which depends on requests (2.31)

Any ETA to update that library? The CVE id is CVE-2024-35195 and is commented here psf/requests#6655

Regards,

Daniel Ranchal

[thomasht86]

Hi!
We had some issues on updating earlier, but we have now done so, see #947
This will be part of the next release, so ETA a day or two.

[danitico]

Thanks @thomasht86 ! Will wait for the update!

[thomasht86]

Just released v0.50.0 with requests version unpinned.
Should be live on pypi any minute.