I would argue that this is not a security vulnerability of pypowervm. We're not requiring a vulnerable version of requests, we're just allowing for it. Anyone concerned about the requests vulnerability (and rightly so) is welcome to use a newer version of requests with pypowervm.
If we bump our requirements to include the newer version, that will force folks to move to the newer requests version when they move to the newer pypowervm version makin that change. This is great if they can do that, but could have downstream repercussions on things like PowerVC and OpenStack. Do they require the newer version of requests? Is the newer version of requests available from all the distros where pypowervm needs to work?
Also keep in mind that it's quite possible that a distro has backported the requests security fix to older versions so that they are not vulnerable.
I would argue that this is not a security vulnerability of pypowervm. We're not requiring a vulnerable version of requests, we're just allowing for it. Anyone concerned about the requests vulnerability (and rightly so) is welcome to use a newer version of requests with pypowervm.
If we bump our requirements to include the newer version, that will force folks to move to the newer requests version when they move to the newer pypowervm version makin that change. This is great if they can do that, but could have downstream repercussions on things like PowerVC and OpenStack. Do they require the newer version of requests? Is the newer version of requests available from all the distros where pypowervm needs to work?
Also keep in mind that it's quite possible that a distro has backported the requests security fix to older versions so that they are not vulnerable.