Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a lower bound for the version of setuptools #123

Closed
wants to merge 1 commit into from

Conversation

jsf9k
Copy link
Member

@jsf9k jsf9k commented Nov 15, 2022

🗣 Description

This pull request adds a lower bound for the version of setuptools.

💭 Motivation and context

This is done in response to a recently-discovered vulnerability in setuptools:

It should also get rid of a zillion Snyk PRs like this that are polluting our repos.

🧪 Testing

All automated tests pass.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All new and existing tests pass.

@jsf9k jsf9k added blocked This issue or pull request is awaiting the outcome of another issue or pull request dependencies Pull requests that update a dependency file labels Nov 15, 2022
@jsf9k jsf9k self-assigned this Nov 15, 2022
@jsf9k jsf9k force-pushed the security/lower-bound-for-setuptools branch from 51fa6d7 to c149b76 Compare November 15, 2022 14:33
@jsf9k jsf9k marked this pull request as ready for review November 15, 2022 15:18
Copy link
Member

@dav3r dav3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔐

@mcdonnnj
Copy link
Member

I'm not sure about investing in version pinning this kind of dependency simply because a fresh install or an upgrade install will pull down the appropriate package, the vulnerability is a self-DoS, and the new version is not specifically required for functionality. If we do want to proceed with this kind of pinning then we need to add an ignore directive (with attribution0 here

- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"

in line with how we manage other pinned dependencies.

@jsf9k
Copy link
Member Author

jsf9k commented Mar 20, 2023

Closed due to @mcdonnnj's compelling argument.

@jsf9k jsf9k closed this Mar 20, 2023
@jsf9k jsf9k deleted the security/lower-bound-for-setuptools branch March 20, 2023 18:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocked This issue or pull request is awaiting the outcome of another issue or pull request dependencies Pull requests that update a dependency file
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

3 participants