Skip to content

SNOW-3244317: Tight upper bound on pyopenssl in dependency constraints prevents CVE fix #2789

New issue
New issue
Open
#2793
Open
SNOW-3244317: Tight upper bound on pyopenssl in dependency constraints prevents CVE fix#2789
#2793
Assignees
sfc-gh-snow-drivers-warsaw-dl
Labels
status-fixed_awaiting_releaseThe issue has been fixed, its PR merged, and now awaiting the next release cycle of the connector.status-triage_doneInitial triage done, will be further handled by the driver team
@sparkiegeek-slam

Description

@sparkiegeek-slam
sparkiegeek-slam
opened on Mar 16, 2026

snowflake-connector-python/setup.cfg

Line 51 in 14624ed

pyOpenSSL>=24.0.0,<26.0.0

By forcing an upper bound on pyopenssl <26.0.0, users of this project cannot easily address GHSA-vp96-hxj8-p424

Work arounds are either to ignore the vulnerability in scanning tools (e.g. uv-secure, pip-audit, ...) or force the dependency install and break the constraint in this project.

Note there are backwards incompatible changes in https://www.pyopenssl.org/en/latest/changelog.html#id1, notably dropping Python 3.7 which already aligns with the connector supported versions.

Metadata

Metadata

Assignees

Labels

status-fixed_awaiting_releaseThe issue has been fixed, its PR merged, and now awaiting the next release cycle of the connector.status-triage_doneInitial triage done, will be further handled by the driver team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions