Strict PyNaCl dependency raises CVE errors in basic security scanning

[AbstractUmbra]

As discord.py restricts PyNaCl to <1.6 then any tools scanning discord.py's dependencies (Dependabot with a uv ecosystem in my case) it will raise that PyNaCl is susceptible to CVE-2025-69277. Whilst this specific CVE might not apply to discord.py it is still being raised due to the strict pinning on a minor version.

This discussion is more around "can we unpin this minor version patch"? I assume it was pinned to <1.6 due to a breaking change in a minor version or something ludicrous, but is it worth investigating?

[mikeshardmind]

None of the high level functions in libsodium (or as a result, PyNaCl) are susceptible to the issue in question, and any user actually doing custom cryptography with the low level functions is already in "you're assumed to be able to figure out the safety implications" territory.

This is one of the problems with CVE scanning in general: there's generally no tools that actually check if it's vulnerable for simply existing vs specific code paths being used. In this particular case, this isn't code that can be provoked into vulnerability without there existing a code path that implements custom cryptography on top of the lower level functions in libsodium.

As for if we can relax that pin, I'm not sure without further review, but it seems we could change it to <1.7 when looking at PyNaCl's policies, and that the only breaking change in 1.6 was dropping support for python < 3.8

[Rapptz]

The reason it hasn't been bumped is purely because there was no reason to since I've been bitten by minor versions before (ahem, aiohttp). Either way, looking through the changelogs it seems they finally made a release in late 2025 for v1.6 after 3 years of no updates so bumping it seems to be fine so I've gone ahead and updated the range from >=1.5,<1.6 to >=1.6,<1.7.