False positives related to celery and sub depencies #416
Description
Recent reports seem to indicate false positive related to celery.
https://pyup.io/repos/github/crim-ca/weaver/commits/?page=1#0d9d2e845c11a48a39cab0a73962ce87dae6428f
| Package | Installed | Affected | Info |
|---|---|---|---|
| celery | 3.1.26.post2 | <5.2.0 | Celery 5.2.0 updates 'kombu' to v5.2.1, which includes dependencies updates that resolve security issues. |
I actually have version 4.4.2 pinned (as shown below) for quite a long time.
crim-ca/weaver@4370852
celery[mongodb]==4.4.2; sys_platform != "win32"
I only started getting issues last week (due to 5.2.x release), but it seems broken because my builds are not even able to find those versions on pypi.
Anyway, the "installed" version is completely wrong, so something bad must be happening.
Because I'm not even on the same major version, it is really hard for me to know if this is an actual security issue or just a detection problem on pyup side.