Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: upgrade pywin32 & relax version constraint #3004

Merged
merged 1 commit into from
Jul 26, 2022

Conversation

milas
Copy link
Contributor

@milas milas commented Jul 25, 2022

Upgrade to latest pywin32, which has support for Python 3.10 and
resolves a CVE (related to ACL APIs, outside the scope of what
docker-py relies on, which is npipe support, but still gets
flagged by scanners).

The version constraint has also been relaxed in setup.py to allow
newer versions of pywin32. This is similar to how we handle the
other packages there, and should be safe from a compatibility
perspective.

Fixes #2902.
Closes #2972 and closes #2980.

Upgrade to latest pywin32, which has support for Python 3.10 and
resolves a CVE (related to ACL APIs, outside the scope of what
`docker-py` relies on, which is npipe support, but still gets
flagged by scanners).

The version constraint has also been relaxed in `setup.py` to allow
newer versions of pywin32. This is similar to how we handle the
other packages there, and should be safe from a compatibility
perspective.

Fixes docker#2902.
Closes docker#2972 and closes docker#2980.

Signed-off-by: Milas Bowman <milas.bowman@docker.com>
@milas milas added group/windows dependencies Pull requests that update a dependency file labels Jul 25, 2022
@milas milas requested a review from a team July 25, 2022 17:43
@milas milas self-assigned this Jul 25, 2022
Copy link
Contributor

@glours glours left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@thaJeztah
Copy link
Member

Looks like there's a couple more contributions for fixing this; https://github.com/docker/docker-py/pulls?q=is%3Apr+is%3Aopen+pywin32+in%3Atitle

If someone has time, could we post a short "thank you for contributing" on those PR's before closing them? (I know some of them have been waiting for a long time to get their PR looked at)

@milas
Copy link
Contributor Author

milas commented Jul 26, 2022

@thaJeztah Yes! I'm on it. (For context, I was planning to accept those, but changes around our GitHub Actions config meant they needed a rebase etc and so I didn't want to make them jump through more hoops.)

@thaJeztah
Copy link
Member

but changes around our GitHub Actions config meant they needed a rebase etc and so I didn't want to make them jump through more hoops.)

Makes perfect sense 👍

Thanks for leaving the comments ❤️

@jmahlik
Copy link

jmahlik commented Aug 11, 2022

I saw this was added to the 6.0.0 milestone. Any chance of a backport to 5.x? I ask because there's a few projects with docker<6.0.0 that might take a while to update to 6.x.

https://github.com/aws/sagemaker-python-sdk/blob/284ddbebcf6240f0a4d3c734244f8e8ad066a9b3/requirements/extras/local_requirements.txt#L3

@milas
Copy link
Contributor Author

milas commented Aug 17, 2022

@jmahlik Unfortunately, it's not going to be practical to do a 5.0.x release with this change.

That said, the 6.0.0 release will be API-compatible with the 5.x series. The major version bump is because there are a couple of security-related behavior changes (e.g. around SSH Docker hosts) and the packaging/dependency management is substantially different.

As a result, once released you could temporarily use a constraint file if needed:

constraints.txt

docker>=6.0.0

Install with pip -c:

pip install -c constraints.txt package-that-depends-on-docker-py-5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file group/windows
Projects
None yet
Development

Successfully merging this pull request may close these issues.

installing latest 5.0.3 on windows machines is still using pywin32==227 but not pywin32==301
5 participants