Affected Components pypi:pip/24.0
The vulnerable pip version 24.0 IS present in Python Version 3.11.15
Option 1: Wait for Python 3.11.16 (Recommended)
- Python 3.11.16 will likely bundle a patched pip version
- Python 3.11.x is in maintenance mode, so updates come periodically
- Track https://www.python.org/downloads/ for 3.11.16 release
Option 2: Document Workaround
Since most users won't directly use pip from the nodejs-buildpack's Python:
- Document that users should upgrade pip after installation:
python -m pip install --upgrade pip
- This is already a best practice
Option 3: Consider Deprecation
- Python 3.11.x reaches EOL on 2027-10-24 (per manifest.yml)
- Consider if Python 3.11.x is still needed in the nodejs-buildpack
Affected Components pypi:pip/24.0
The vulnerable pip version 24.0 IS present in Python Version 3.11.15
Option 1: Wait for Python 3.11.16 (Recommended)
Option 2: Document Workaround
Since most users won't directly use pip from the nodejs-buildpack's Python:
python -m pip install --upgrade pipOption 3: Consider Deprecation