search

DataCater / datacater

The developer-friendly ETL platform for transforming data in real-time. Based on Apache Kafka® and Kubernetes®.
https://datacater.io
Other
82 stars 4 forks source link

fix(python-runner): Update requests to >= 2.31.0 #220

Closed flippingbits closed 1 year ago

flippingbits commented 1 year ago

Dependabot reported an unintended leak of the Proxy-Authorization header in the version of the requests library that we are using (all versions < 2.31.0 are affected).

This commit updates the python_runner/requirements.txt and requires a version of requests where this issue has been fixed (>= 2.31.0).

sonarcloud[bot] commented 1 year ago

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

HknLof commented 1 year ago

Is there a way to define the python version in requirements or somewhere else? I ran into the issue, that some packages were not available.

flippingbits commented 1 year ago

The used modules require Python 3.7 or newer.

I don't know if you can require specific Python versions in the requirements.txt but the Dockerfile, which we are using to build the python-runner image, defines a Python version.

I guess this only affects your local development environment? What about extending the README with the required Python version? I suggest to open another issue/PR to deal with it, such that we do not delay merging this security fix.

HknLof commented 1 year ago

I think it's fine. We can move to pyproject.toml on the next iteration. https://pip.pypa.io/en/stable/reference/build-system/pyproject-toml/