orjson CVE in older version, should be upgraded to 3.9.15 or higher

[azell]

When I run a code scanner on my project that uses aws-glue-schema-registry-python I see the following:

❯ trunk check
Checking 100% [================================================================================================================>]  124/124  2.5s
                                      
  ISSUES  

poetry.lock:2155:0
 2155:0  high  orjson.loads in 'orjson' before 3.9.15 does not limit recursion for deeply nested JSON documents.  osv-scanner/GHSA-pwr2-4v36-6qpr
               Current version is vulnerable: 3.6.9. Patch available: upgrade to 3.9.15 or higher.

Is there anything preventing upgrading the orjson version?

[nickzandbergen]

Very likely not, but I haven't tested it.

[katelfox]

Will this be addressed at some point?

[nickzandbergen]

Probably not any time soon - I haven't seen any pull requests about it and due to the specifics of the CVE and how orjson is used in this library, this is below the threshold I'd do a dedicated release for.