Description
Dependabot has just thrown this at my bingads code: GHSA-v3c5-jqr6-7qm8
On a quick search of the head of your main branch, it looks to me as though the only use of future is several cases of from future.utils import with_metaclass. That's thoroughly harmless, and I'm confident guessing that it's not subject to a vulnerability in cookie-handling code! Nothing else in my application uses future, so I can dismiss my dependabot alert.
Still, it might be helpful to your users if you cut the dependency on future by specifying your metaclasses in Python 3 syntax (judging by your trove classifiers, you no longer support Python 2 anyway). I've never used with_metaclass before, but I believe that for example: class _BulkEntityIdentifier(with_metaclass(ABCMeta, _BulkObject)): translates to class _BulkEntityIdentifier(_BulkObject, metaclass=ABCMeta):.
The last release of future was 3 years ago, so I don't know whether that's still maintained. Perhaps it will respond to the advisory with a fix, in which case there's no need to change anything, but it doesn't look promising: PythonCharmers/python-future#610
Even if you don't plan to change anything, I propose that this ticket might help anyone else who ends up here in the next few days because they got the same dependabot alert. Saves them doing the same check of the code :-)
If you are changing it, then while you're in there, there are some from __future__ import print_function and similar that are no longer needed provided you don't support Python 2.