Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump the cryptography version to 42 #3950

Closed
brijesh-vora-sp opened this issue Feb 12, 2024 · 4 comments · Fixed by #3966
Closed

Bump the cryptography version to 42 #3950

brijesh-vora-sp opened this issue Feb 12, 2024 · 4 comments · Fixed by #3966
Labels
dependencies Pull requests that update a dependency file

Comments

@brijesh-vora-sp
Copy link
Contributor

brijesh-vora-sp commented Feb 12, 2024
edited
Loading

Is your feature request related to a problem? Please describe.
cryptography<42 package has some medium vulnerabilities. Example: https://scout.docker.com/vulnerabilities/id/CVE-2023-50782?s=github&n=cryptography&t=pypi&vr=%3C42.0.0&utm_source=desktop&utm_medium=ExternalLink

starlette and fastapi had some high vulnerabilities but that was recently bumped up and thanks to that, they are removed.

Describe the solution you'd like
Bump the cryptography package to>=42. Nice to have: bumping up of other compatible packages also.
@brijesh-vora-sp brijesh-vora-sp added the kind/feature New feature or request label Feb 12, 2024
@bushwhackr
Copy link
Contributor

snowflake-connector-python is blocking the bump https://github.com/snowflakedb/snowflake-connector-python/blob/v3.7.0/setup.cfg#L48

@sudohainguyen sudohainguyen added dependencies Pull requests that update a dependency file and removed kind/feature New feature or request labels Feb 16, 2024
@sudohainguyen
Copy link
Collaborator

sudohainguyen commented Feb 23, 2024
edited
Loading

back to this one, since snowflake connector is no longer blocking

should we set 42 is lower bound for cryptography?
@bushwhackr @tokoko

@sudohainguyen sudohainguyen mentioned this issue Feb 23, 2024
Merged
@tokoko
Copy link
Collaborator

tokoko commented Feb 23, 2024

No, I don't think so, let's leave it up for the users. Might get in the way with installing some other packages that people use with feast. snowflake also bumped only the upper bound.

@sudohainguyen sudohainguyen mentioned this issue Feb 28, 2024
Merged
@brijesh-vora-sp
Copy link
Contributor Author

Thanks, guys. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: Bump CI requirement cryptography to v42 sudohainguyen/feast
4 participants
@tokoko @sudohainguyen @bushwhackr @brijesh-vora-sp