This library is depended on by a 867 packages ( , requests, hypothesis ), has a...
This library is depended on by a 867 packages ( #pyyaml , requests, hypothesis ), has a bogus CVE and is abandonware.
That's a bit under 1000 releases not counting the iceberg of closed source.
Who files these bogus CVEs, it is like setting $10,000 on fire, but in $100 piles all across the country.