Hey all, I'm not sure if this is the right channel for it but I'm trying to chase down a critical vulnerability flagged in our local DependencyTrack: https://nvd.nist.gov/vuln/detail/CVE-2024-53899 which was fixed via: https://github.com/pypa/virtualenv/pull/2771 I was trying to find the dependency in my package but I don't see any references, which makes me think it's being used in a separate package. I'm not sure if this vuln is coming from Meltano/Dagster/DBT, but my initial hunch is Meltano because of https://github.com/meltano/meltano/blob/main/docs/docs/concepts/python_virtual_environments.md Would someone from the Meltano team be able to be able to confirm?

Hi @joshua_janicas!

virtualenv

is indeed a dependency of Meltano: https://github.com/meltano/meltano/blob/5e40b9d6d721937895199f8d6da422565fad29aa/pyproject.toml#L83 The bump to the CVE-patched version of it happened in a7746cbd, which was first shipped in

v3.6.0b1

, so the final 3.6.0 will for sure have a patched version.

Yay, thank you!