Pinned dependencies have 9 known CVEs — any plans to update? #43
Description
Hey team,
First off — love the library, it's been solid for our cTrader integration. Just flagging something we ran into while setting up CI/CD security scanning.
ctrader-open-api 0.9.2 pins a few dependencies to exact versions that currently carry 9 known CVEs:
| Package | Pinned Version | CVEs | Fixed In |
|---|---|---|---|
| protobuf | 3.20.1 | CVE-2022-1941, CVE-2025-4565, CVE-2026-0994 | 3.20.2 / 4.25.8+ / 5.29.5+ |
| Twisted | 24.3.0 | PYSEC-2024-75, CVE-2024-41671 | 24.7.0+ |
| requests | 2.32.3 (transitive) | CVE-2024-47081 | 2.32.4 |
| cryptography | 42.0.8 (transitive) | GHSA-h4gh-qq45-vh27, CVE-2024-12797, CVE-2026-26007 | 43.0.1+ / 44.0.1+ / 46.0.5+ |
Because the versions are hard-pinned (e.g. Twisted==24.3.0, protobuf==3.20.1 in pyproject.toml), we can't bump them on our end without breaking the install. We're currently working around it by ignoring these in pip-audit, but it'd be great to get them resolved upstream.
Even just loosening the pins to compatible ranges (e.g. protobuf>=3.20.2,<4 and Twisted>=24.7.0) would let downstream projects pick up the security fixes.
Would really appreciate any movement on this when you get a chance. Happy to help test if you push a pre-release.
Cheers