fix: widen cryptography cap to allow >=48.0.1 and relax stale pytz pin#1060
fix: widen cryptography cap to allow >=48.0.1 and relax stale pytz pin#1060Sean McGroarty (mcgizzle) wants to merge 1 commit into
Conversation
Drop the `<47.0.0` upper bound on cryptography so a patched `cryptography>=48.0.1` can be installed. 48.0.1 bundles the OpenSSL fix for an ASN.1 decoder out-of-bounds read in `d2i_X509()`/`d2i_PKCS7()` (SNYK-PYTHON-CRYPTOGRAPHY-17344551); the prior cap forced 46.0.7, which is flagged HIGH-vulnerable. No transitive dependency requires the upper cap: the only packages in the tree that depend on cryptography (google-auth via google-cloud-secret-manager, pdfminer.six, pyjwt) impose lower bounds only. A full resolution with the cap removed selects cryptography 49.0.0 with no conflict, and the declarative JWT auth tests pass against it. The 45.0.0/45.0.1 regression exclusions are kept. Also relax the stale `pytz == 2024.2` pin to `>=2024.2`. Signed-off-by: mcgizzle <sean@originator.inc> Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
📝 WalkthroughWalkthrough
ChangesDependency constraint updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~4 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Aaron ("AJ") Steers (@aaronsteers) the red checks here are all fork-secret limitations, not problems with the change. The five connector jobs (source-intercom, source-pokeapi, source-shopify, source-hardcoded-records, destination-motherduck) all fail at the same line fetching test creds from GSM: "No Google Cloud credentials found", because GCP_GSM_CREDENTIALS isn't exposed to fork PRs. The "PR Welcome Message" job fails with a 403 "Resource not accessible by integration" for the same reason: the fork token is read-only. Everything that validates the actual change passed: full pytest matrix (3.10 to 3.13), MyPy, Ruff, Deptry, and both Docker image builds. The connector jobs got past dependency resolution and CDK install before hitting the secret fetch, so the widened cryptography / relaxed pytz pins don't break installs. Could you re-run the connector tests with secrets, or merge if the green checks are sufficient? Happy to rebase if needed. |
|
Sean McGroarty (@mcgizzle) - Thanks very much for contributing to Airbyte. I'm evaluating these changes and will create a new PR shortly, possibly with a few tweaks. I'll include your commits in my branch so you retain credit when we do merge. If you have any testing data specifically from successful testing you might have done locally, please feel free to share that here or on the new PR when it opens. Much appreciated! |
|
Above PR has been merged and released: Sean McGroarty (@mcgizzle) - Thank you again for this contribution 🙏 |
What
Remove the
<47.0.0upper bound oncryptography(the!=45.0.0,!=45.0.1regression exclusions are kept) and relaxpytzfrom the exact2024.2pin to>=2024.2.Why
The
<47.0.0cap forces consumers ontocryptography==46.0.7, which carries a HIGH-severity advisory (SNYK-PYTHON-CRYPTOGRAPHY-17344551): an out-of-bounds read in the ASN.1 decoder reachable viad2i_X509()/d2i_PKCS7(). The remediation ships incryptography==48.0.1(a bundled-OpenSSL bump), which the current cap forbids.The cap is not transitive-forced. The only packages in the tree that depend on
cryptography(google-authviagoogle-cloud-secret-manager,pdfminer.six,pyjwt) impose lower bounds only. The earlier "Constrained as transitive dependency" note was already removed in #975; this change lifts the remaining arbitrary upper bound.Verification
poetry lockfollowed bypoetry update cryptographyresolves the full dependency set tocryptography==49.0.0with no conflict; the lock diff is a single package bump (46.0.7 to 49.0.0).unit_tests/sources/declarative/auth/) pass against 49.0.0 (99 passed).🤖 Generated with Claude Code
Summary by CodeRabbit