`PYSEC-2023-241` specifies vulnerable versions that are not actually vulnerable

[cswimr]

The description for PYSEC-2023-241 says that it was resolved in Piccolo 1.1.1. Yet, the vulnerable versions listed in that file include versions after 1.1.1. May not be related, may be related, not really sure how this works, but the osv.dev listing for the same vulnerability marks that all Piccolo versions are vulnerable to this issue, despite it being patched in 1.1.1.

[sethmlarson]

Thanks for reporting, can you submit a pull request?

[cswimr]

I would be willing to, but I'm not sure what exactly would need changed to fix the osv.dev listing. It says that all Piccolo 0.* and 1.* versions are vulnerable, which is causing false positives in my Renovate dependency dashboard for any of my projects using Piccolo. I don't see anything in this advisory file that would be marking 1.* as vulnerable, just versions up to 1.3.0. This is still incorrect, but incorrect in a different way as far as I can tell. I'm not really familiar with the advisory format.