Description
Installing poetry will bring in a version of h11 (see the current poetry.lock file) which has a known critical vulnerability. Although it doesn't directly affect poetry, this means that security scans like trivy will pick it up in images created using poetry, and ignoring it in images that do use http libraries could leave them unintentionally exposed.
See https://github.com/python-poetry/poetry/blob/main/poetry.lock#L647 and https://github.com/python-poetry/poetry/blob/main/poetry.lock#L647.
This likely requires a bump of httpcore to 1.0.9. The PR #10362 may fix this.
Workarounds
Currently, I see a couple:
- A temporary trivyignore or similar. Runs the risk of missing a vulnerability if the project has genuine http ports exposed.
- If building with docker, install into the system (no venv), and then uninstall poetry after the dependencies are managed.
Poetry Installation Method
pip
Operating System
all operating systems
Poetry Version
poetry==2.1.1, poetry==2.1.2
Poetry Configuration
Python Sysconfig
N/A
Example pyproject.toml
Poetry Runtime Logs
N/A
Description
Installing poetry will bring in a version of h11 (see the current poetry.lock file) which has a known critical vulnerability. Although it doesn't directly affect poetry, this means that security scans like trivy will pick it up in images created using poetry, and ignoring it in images that do use http libraries could leave them unintentionally exposed.
See https://github.com/python-poetry/poetry/blob/main/poetry.lock#L647 and https://github.com/python-poetry/poetry/blob/main/poetry.lock#L647.
This likely requires a bump of httpcore to 1.0.9. The PR #10362 may fix this.
Workarounds
Currently, I see a couple:
Poetry Installation Method
pip
Operating System
all operating systems
Poetry Version
poetry==2.1.1, poetry==2.1.2
Poetry Configuration
Python Sysconfig
N/A
Example pyproject.toml
N/APoetry Runtime Logs
N/A