GHSA-p72q-h37j-3hq7: dbt uses a SQLparse version with a high vulnerability

April 22, 2024

Using a version of sqlparse that has a security vulnerability and no way to update in current version of dbt core. Snyk recommends using sqlparse==0.5 but this causes a conflict with dbt. Snyk states the issues is a recursion error: SNYK-PYTHON-SQLPARSE-6615674.

References

github.com/advisories/GHSA-p72q-h37j-3hq7
github.com/andialbrecht/sqlparse/security/advisories/GHSA-2m57-hf25-phgg
github.com/dbt-labs/dbt-core
github.com/dbt-labs/dbt-core/security/advisories/GHSA-p72q-h37j-3hq7
security.snyk.io/vuln/SNYK-PYTHON-SQLPARSE-6615674

Code Behaviors & Features

Detect and mitigate GHSA-p72q-h37j-3hq7 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →