Security: outdated minimum versions for PyOpenSSL and pyasn1 allow vulnerable installations

## Summary

The current `install_requires` in `setup.py` allows installation of vulnerable versions of two dependencies:

| CVE | Library | Current constraint | Fixed version |
|-----|---------|-------------------|---------------|
| CVE-2026-30922 | pyasn1 | >=0.1.1 | >=0.6.3 |
| CVE-2026-27459 | PyOpenSSL | (no minimum) | >=26.0.0 |

Any project depending on `ndg_httpsclient` can end up with insecure transitive dependencies since the version floors are too low.

## Proposed fix

A fix has been submitted in #26 — bumping the minimum versions in `install_requires`.

@philipkershaw could you please take a look? Thanks!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: outdated minimum versions for PyOpenSSL and pyasn1 allow vulnerable installations #27

Summary

Proposed fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE	Library	Current constraint	Fixed version
CVE-2026-30922	pyasn1	>=0.1.1	>=0.6.3
CVE-2026-27459	PyOpenSSL	(no minimum)	>=26.0.0

Security: outdated minimum versions for PyOpenSSL and pyasn1 allow vulnerable installations #27

Description

Summary

Proposed fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions