On Tuesday, January 24, we’ll be releasing version 7.2.2 of xblock-lti-consumer. This release will contain a Low level security fix as determined using CVSS.
Note for maintainers: The package name is lti-consumer-xblock, which differs from the repo name.
As far as the master/main branches of the edx and openedx orgs are concerned, I only see it as a direct dependency in edx/edx-exams and openedx/edx-platform.
I’m seeing this topic just now. The version of the xblock that ships with Olive is 4.5.0. Is version 4.5.0 affected by the vulnerability? If yes, can we safely upgrade to 7.2.2? In my understanding there are at least three breaking changes between 4.5.0 and 7.2.2, so it seems unlikely that we can upgrade without any problem in Olive.