pending-upstream-fix advisory for xh package, related to the idna cra…

…te, which we are unable to upgrade to remediate GHSA-h97m-ww89-6jmq Signed-off-by: Mark McCormick <[email protected]>
wolfi-dev · Jan 5, 2025 · 718234f · 718234f
1 parent 7494393
commit 718234f
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/xh.advisories.yaml b/xh.advisories.yaml
@@ -42,6 +42,14 @@ advisories:
             componentType: rust-crate
             componentLocation: /usr/bin/xh
             scanner: grype
+      - timestamp: 2025-01-05T01:19:39Z
+        type: pending-upstream-fix
+        data:
+          note: |
+            This CVE relates to THE 'idna' dependency, and a fix is available in v1.0.0 and later.
+            There are multiple crates in this project depending on multiple versions of 'idna'.
+            Attempting to upgrade the oldest 'idna' crate, as well as dependent packages, results in build failures.
+            Pending fix from upstream.
 
   - id: CGA-6x75-6gj7-pp2r
     aliases: