pending-upstream-fix advisory for helix package, related to the idna …

…dependency, ref:GHSA-h97m-ww89-6jmq (#11085) Signed-off-by: Mark McCormick <[email protected]>
wolfi-dev · Jan 5, 2025 · 5e4fae3 · 5e4fae3
1 parent 7494393
commit 5e4fae3
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/helix.advisories.yaml b/helix.advisories.yaml
@@ -21,3 +21,11 @@ advisories:
             componentType: rust-crate
             componentLocation: /usr/bin/hx
             scanner: grype
+      - timestamp: 2025-01-05T02:18:54Z
+        type: pending-upstream-fix
+        data:
+          note: |
+            This vulnerability relates to the 'idna' dependency, and is fixed in v1.0.0 and later.
+            Attempts to upgrade 'idna' have failed, as there are multiple dependencies requiring different versions of `idna`.
+            One such example is 'url'. Attempts to upgrade 'url' to a version compatible with idna v1.0.0 result in additional build failures.
+            Pending fix from upstream.