PyPi: Peltak

CVE-2021-20270

Transitive

Safety vulnerability ID: 51478

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Mar 23, 2021 Updated at Aug 08, 2024
Scan your Python projects for vulnerabilities →

Advisory

Peltak 0.28.0 updates its dependency 'pygments' requirement to ">=2.7.4" to include security fixes.

Affected package

peltak

Latest version: 0.31.0

A command line tool to help manage a project

Affected versions

Fixed versions

Vulnerability changelog

========


Features
--------

- Sort todos files alphabetically
This makes the output deterministic.
- New scripts system
From now on, the scripts will be loaded from disk and they can have a header
comment that contains the script metadata. This metadata can be parsed by
peltak and used to generate the CLI commands. The generated CLI structure
resembles the scripts directory structure, so sub groups can be created by
just creating directories.
- todos can scan any path
Before the loading params were a bit vague and originated from one single use
case. Now it will be much more flexible.
- peltak-todos now support custom comment markers
This adds support for other languages like JS that use ‘//‘ as line comment.
We still do not support block comments.
- Highlight changelog item title


Fixes
-----

- peltak-gitflow would not build properly


Changes
-------

- Move scripts into the core
- Update jinja2 and tomlkit
- Update pygments to at least 2.7.4
Security issues: https://github.com/novopl/peltak/security/dependabot/13
- Update PyYAML to 6.0
- Remove dependency on six
Python 2 is long gone, this was outdated a while ago.
- replace attrs with dataclasses
- Bump minimum python version to 3.7
- Drop cliform dependency on peltak
This will be soon extracted into it’s own lib. Making it not depend on peltak
is the first step.
- Move basic commands out of extra
We’ll be getting rid of peltak.extra package and instead move everything out
into a plugin or merge it into the core.
- Extract extra.pypi into a plugin
This is part of an ongoing effort to minimalize the peltak core and move all
extra functionality into the plugins.
- Extract changelog into a plugin
This is part of an ongoing effort to minimalize the peltak core and move all
extra functionality to the plugins.
- Extract gitflow into a plugin
This is part of an ongoing effort to minimalize the peltak core and move all
extra functionality to plugins. It will make it much easier to ensure the
test coverage and quality in the core while having an appropriate support for
everything else.


Dev tasks
---------

- Update all dev dependencies
- Move old appengine and django integrations
That was created very early on wasn’t really used that much. GAE was used for
a bit, but that runtime is long gone on google side so no reason to keep it
really. Moving it out first to make sure nothing breaks, but this code is
scheduled for deletion.
- Minor fixes & improvements
- Use check script that does not fail on the first tool
Easier to fix things when we have a full report, not just the first part
until one of the tools fail.
- Update docs
Added documentation for releases
- Convert core.git into a package
The module started to grow big, makes it harder to maintain.
- Align imports with isort
TBH it looks worse in a lot of places, but at least it makes it easy to check
the import ordering and fix it automatically with isort in the future.
- Update code check script
- Move peltak configuration to pelconf.yaml
It’s much easier to read and coherent with the rest of the projects.

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Availability (A)
HIGH

CVSS v2 Details

MEDIUM 5.0
Access Vector (AV)
NETWORK
Access Complexity (AC)
LOW
Authentication (Au)
NONE
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Impact (A)
PARTIAL