[GHSA-h7wm-ph43-c39p] Scrapy denial of service vulnerability#7369
[GHSA-h7wm-ph43-c39p] Scrapy denial of service vulnerability#7369G-Rath wants to merge 1 commit intoG-Rath/advisory-improvement-7369from
Conversation
github-actions
bot
changed the base branch from
main
to
G-Rath/advisory-improvement-7369
There was a problem hiding this comment.
Pull request overview
Updates the GitHub-reviewed advisory for GHSA-h7wm-ph43-c39p (Scrapy DoS via memory consumption) to reflect newly assessed affected versions.
Changes:
- Extends the affected range by updating
last_affectedfrom2.14.1to2.15.0. - Slightly bumps the advisory
modifiedtimestamp.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "schema_version": "1.4.0", | ||
| "id": "GHSA-h7wm-ph43-c39p", | ||
| "modified": "2026-01-14T19:14:21Z", | ||
| "modified": "2026-01-14T19:14:23Z", |
There was a problem hiding this comment.
The modified timestamp looks like it was only bumped by 2 seconds and does not reflect when this advisory is actually being updated in this PR. Please set modified to the current update time (UTC) so downstream consumers can reliably detect this change.
| "modified": "2026-01-14T19:14:23Z", | |
| "modified": "2026-04-12T00:00:00Z", |
| "introduced": "0.7" | ||
| }, | ||
| { | ||
| "last_affected": "2.14.1" | ||
| "last_affected": "2.15.0" | ||
| } |
There was a problem hiding this comment.
With last_affected now set to 2.15.0, the details text starting with "Scrapy 1.4 allows..." is likely misleading because it reads as if only 1.4 is impacted. Please adjust the wording to reflect the affected version range (e.g., "Scrapy versions ...") so the narrative matches the affected.ranges data.
Updates
Comments
New version has been released which does not fix the issue