-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deps: upgrade pywin32 & relax version constraint #3004
Conversation
Upgrade to latest pywin32, which has support for Python 3.10 and resolves a CVE (related to ACL APIs, outside the scope of what `docker-py` relies on, which is npipe support, but still gets flagged by scanners). The version constraint has also been relaxed in `setup.py` to allow newer versions of pywin32. This is similar to how we handle the other packages there, and should be safe from a compatibility perspective. Fixes docker#2902. Closes docker#2972 and closes docker#2980. Signed-off-by: Milas Bowman <milas.bowman@docker.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Looks like there's a couple more contributions for fixing this; https://github.com/docker/docker-py/pulls?q=is%3Apr+is%3Aopen+pywin32+in%3Atitle If someone has time, could we post a short "thank you for contributing" on those PR's before closing them? (I know some of them have been waiting for a long time to get their PR looked at) |
@thaJeztah Yes! I'm on it. (For context, I was planning to accept those, but changes around our GitHub Actions config meant they needed a rebase etc and so I didn't want to make them jump through more hoops.) |
Makes perfect sense 👍 Thanks for leaving the comments ❤️ |
I saw this was added to the 6.0.0 milestone. Any chance of a backport to 5.x? I ask because there's a few projects with |
@jmahlik Unfortunately, it's not going to be practical to do a That said, the As a result, once released you could temporarily use a constraint file if needed:
Install with pip install -c constraints.txt package-that-depends-on-docker-py-5 |
Upgrade to latest pywin32, which has support for Python 3.10 and
resolves a CVE (related to ACL APIs, outside the scope of what
docker-py
relies on, which is npipe support, but still getsflagged by scanners).
The version constraint has also been relaxed in
setup.py
to allownewer versions of pywin32. This is similar to how we handle the
other packages there, and should be safe from a compatibility
perspective.
Fixes #2902.
Closes #2972 and closes #2980.