Vulnerable and outdated dependencies

It seems that PurlDB is currently using several dependencies that have not been updated in a while, some of which had vulnerabilities reported that may or may not be exploitable in the context of PurlDB. For instance, Django 5.1.13 is affected by CVE-2025-64459 and 5.1.x has reached [EOL in December 2025](https://www.djangoproject.com/download/). I would kindly ask you to review dependencies and update to current and supported versions.

Attached are potentially relevant vulnerabilities listed in VDR and VEX format, based on the SBOM that has been generated from the requirements.txt using cdxgen.

[2026-03-16-purldb-vex.cdx.json](https://github.com/user-attachments/files/26021160/2026-03-16-purldb-vex.cdx.json)

[2026-03-16-purldb-vdr.cdx.json](https://github.com/user-attachments/files/26021164/2026-03-16-purldb-vdr.cdx.json)

[2026-03-16-purldb-sbom-v7.1.0-patched.5.json](https://github.com/user-attachments/files/26021170/2026-03-16-purldb-sbom-v7.1.0-patched.5.json)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Vulnerable and outdated dependencies #844

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Vulnerable and outdated dependencies #844

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions