{"package":"piccolo","ecosystem":"pypi","latest_version":"1.33.0","description":"A fast, user friendly ORM and query builder which supports asyncio.","license":"MIT","license_risk":"permissive","commercial_use_notes":"Permissive: commercial closed-source use OK; preserve the copyright notice.","homepage":"https://github.com/piccolo-orm/piccolo","repository":"https://github.com/piccolo-orm/piccolo","downloads_weekly":53484,"health":{"score":67,"risk":"moderate","breakdown":{"maintenance":20,"popularity":10,"security":15,"maturity":15,"community":7},"deprecated":false,"max_score":100},"vulnerabilities":{"count":1,"critical":1,"high":0,"medium":0,"low":0,"details":[{"vuln_id":"CVE-2023-47128","severity":"critical","summary":"Piccolo is an object-relational mapping and query builder which supports asyncio. Prior to version 1.1.1, the handling of named transaction `savepoints` in all database implementations is vulnerable to SQL Injection via f-strings. While the likelihood of an end developer exposing a `savepoints` `name` parameter to a user is highly unlikely, it would not be unheard of. If a malicious user was able to abuse this functionality they would have essentially direct access to the database and the abilit","affected_versions":"<82679eb8cd1449cf31d87c9914a072e70168b6eb|=0.1.0|=0.1.1|=0.1.2|=0.10.0|=0.10.1|=0.10.2|=0.10.3|=0.10.4|=0.10.5|=0.10.6|=0.10.7|=0.10.8|=0.100.0|=0.101.0|=0.102.0|=0.103.0|=0.104.0|=0.105.0|=0.106.0|=0.107.0|=0.108.0|=0.109.0|=0.11.0|=0.11.1|=0.11.2|=0.11.3|=0.11.4|=0.11.5|=0.11.6|=0.11.7|=0.11.8|=0.110.0|=0.111.0|=0.111.1|=0.112.0|=0.112.1|=0.113.0|=0.114.0|=0.115.0|=0.116.0|=0.117.0|=0.118.0|=0.119.0|=0.12.0|=0.12.1|=0.12.2|=0.12.3|=0.12.4|=0.12.5|=0.12.6|=0.120.0|=0.121.0|=0.13.0|=0.13.1|=0.13.2|=0.13.3|=0.13.4|=0.13.5|=0.14.0|=0.14.1|=0.14.10|=0.14.11|=0.14.12|=0.14.13|=0.14.2|=0.14.3|=0.14.4|=0.14.5|=0.14.6|=0.14.7|=0.14.8|=0.14.9|=0.15.0|=0.15.1|=0.16.0|=0.16.1|=0.16.2|=0.16.3|=0.16.4|=0.16.5|=0.17.0|=0.17.1|=0.17.2|=0.17.3|=0.17.4|=0.17.5|=0.18.0|=0.18.1|=0.18.2|=0.18.3|=0.18.4|=0.19.0|=0.19.1|=0.2.0|=0.20.0|=0.21.0|=0.21.1|=0.21.2|=0.22.0|=0.23.0|=0.24.0|=0.24.1|=0.25.0|=0.26.0|=0.27.0|=0.28.0|=0.29.0|=0.3.0|=0.3.1|=0.3.2|=0.3.3|=0.3.4|=0.3.5|=0.3.6|=0.3.7|=0.30.0|=0.31.0|=0.32.0|=0.33.0|=0.33.1|=0.34.0|=0.35.0|=0.36.0|=0.37.0|=0.38.0|=0.38.1|=0.38.2|=0.39.0|=0.4.0|=0.4.1|=0.40.0|=0.40.1|=0.41.0|=0.41.1|=0.42.0|=0.43.0|=0.44.0|=0.44.1|=0.45.0|=0.45.1|=0.46.0|=0.47.0|=0.48.0|=0.49.0|=0.5.0|=0.5.1|=0.5.2|=0.50.0|=0.51.0|=0.51.1|=0.52.0|=0.53.0|=0.54.0|=0.55.0|=0.56.0|=0.57.0|=0.58.0|=0.59.0|=0.6.0|=0.6.1|=0.60.0|=0.60.1|=0.60.2|=0.61.0|=0.61.1|=0.61.2|=0.62.0|=0.62.1|=0.62.2|=0.62.3|=0.63.0|=0.63.1|=0.64.0|=0.65.0|=0.65.1|=0.66.0|=0.66.1|=0.67.0|=0.68.0|=0.69.0|=0.69.1|=0.69.2|=0.69.3|=0.69.4|=0.69.5|=0.7.0|=0.7.1|=0.7.2|=0.7.3|=0.7.4|=0.7.5|=0.7.6|=0.7.7|=0.70.0|=0.70.1|=0.71.0|=0.71.1|=0.72.0|=0.73.0|=0.74.0|=0.74.1|=0.74.2|=0.74.3|=0.74.4|=0.75.0|=0.76.0|=0.76.1|=0.77.0|=0.78.0|=0.79.0|=0.8.0|=0.8.1|=0.8.2|=0.8.3|=0.80.0|=0.80.1|=0.80.2|=0.81.0|=0.82.0|=0.83.0|=0.84.0|=0.85.0|=0.85.1|=0.86.0|=0.87.0|=0.88.0|=0.89.0|=0.9.0|=0.9.1|=0.9.2|=0.9.3|=0.90.0|=0.91.0|=0.92.0|=0.93.0|=0.94.0|=0.95.0|=0.96.0|=0.97.0|=0.98.0|=0.99.0|=1.0.0|=1.0a1|=1.0a2|=1.0a3|=1.1.0|=1.1.1|=1.2.0|=1.3.0|=1.10.0|=1.11.0|=1.12.0|=1.13.0|=1.13.1|=1.14.0|=1.15.0|=1.16.0|=1.17.0|=1.17.1|=1.18.0|=1.19.0|=1.19.1|=1.20.0|=1.21.0|=1.22.0|=1.23.0|=1.24.0|=1.24.1|=1.24.2|=1.25.0|=1.26.0|=1.26.1|=1.27.0|=1.27.1|=1.28.0|=1.3.1|=1.3.2|=1.4.0|=1.4.1|=1.4.2|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.9.0","fixed_version":"82679eb8cd1449cf31d87c9914a072e70168b6eb","source":"osv","published_at":"2023-11-10T18:15:00Z","in_kev":false,"epss_prob":0.00228,"epss_percentile":0.45406,"threat_tier":"theoretical"}],"actively_exploited_count":0,"likely_exploited_count":0},"versions":{"latest":"1.33.0","total_count":292,"recent":["1.19.0","1.19.1","1.20.0","1.21.0","1.22.0","1.23.0","1.24.0","1.24.1","1.24.2","1.25.0","1.26.0","1.26.1","1.27.0","1.27.1","1.28.0","1.29.0","1.30.0","1.31.0","1.32.0","1.33.0"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":1,"first_published":null,"last_published":"2026-03-06T17:13:04.487887Z","dependencies_count":17,"dependencies":["black","colorama>=0.4.0","Jinja2>=2.11.0","targ>=0.3.7","inflection>=0.5.1","typing-extensions>=4.3.0","pydantic[email]==2.*","orjson>=3.5.1; extra == \"orjson\"","ipython; extra == \"playground\"","asyncpg>=0.30.0; extra == \"postgres\"","aiosqlite>=0.16.0; extra == \"sqlite\"","uvloop>=0.12.0; sys_platform != \"win32\" and extra == \"uvloop\"","orjson>=3.5.1; extra == \"all\"","ipython; extra == \"all\"","asyncpg>=0.30.0; extra == \"all\"","aiosqlite>=0.16.0; extra == \"all\"","uvloop>=0.12.0; sys_platform != \"win32\" and extra == \"all\""]},"github_stats":{"stars":1896,"forks":104,"open_issues":40,"is_archived":false,"pushed_at":"2026-04-28T17:08:03Z","subscribers_count":16},"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"do_not_use","issues":["1 critical vulnerabilities"],"use_version":"1.33.0","version_hint":"Update to >= 82679eb8cd1449cf31d87c9914a072e70168b6eb to fix known vulnerabilities","summary":"piccolo has critical vulnerabilities — do not use"},"version_scoped":null,"requested_version":null,"_cache":"hit","_response_ms":0,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"version_history_summary":{"total_versions":20,"first_release_age_days":null,"last_release_days_ago":53,"avg_days_between_releases":null,"release_velocity":"active"}}