ImportError on DEFAULT_CIPHERS with urllib3>=2.0.0

IBM / ibm-cos-sdk-python-core

ibm-cos-sdk-python-core

Apache License 2.0

6 stars 14 forks source link

ImportError on DEFAULT_CIPHERS with urllib3>=2.0.0 #19

Closed mriedem closed 1 year ago

mriedem commented 1 year ago

ImportError: cannot import name 'DEFAULTCIPHERS' from 'urllib3.util.ssl' (/home/travis/virtualenv/python3.9.0/lib/python3.9/site-packages/urllib3/util/ssl_.py)

This is with urllib3 2.0.2. DEFAULT_CIPHERS was removed:

https://github.com/urllib3/urllib3/blob/main/CHANGES.rst#200-2023-04-26

Hitting this by pulling in latest ibm-cos-sdk.

mriedem commented 1 year ago

The requirements here are likely part of the problem:

https://github.com/IBM/ibm-cos-sdk-python-core/blob/2.13.0/setup.py#L9-L10

requests 2.30 adds support for and requires urllib3 2.0.x: https://pyup.io/packages/pypi/requests/changelog?page=1&#2.30.0

So, you can cap requests at <2.30 until this is fixed, or add support for urllib3 >= 2.0.0 where DEFAULT_CIPHERS is removed.

mriedem commented 1 year ago

requests 2.30 adds support for and requires urllib3 2.0.x

Nevermind it's not a hard requirement on urllib3 2.0.0.

zichd commented 1 year ago

There is a vulnerability in Requests <2.31.0 https://github.com/advisories/GHSA-j8r2-6x86-q33q

I can't update to this version because of the urllib3 version requirements collision with ibm-cos-sdk mentioned by @mriedem . Any chance of getting this resolved? Thanks!

avinash1IBM commented 1 year ago

@zichd we are working on the above vulnerability and soon you can expect a newer release of ibm-cos-sdk

zichd commented 1 year ago

@avinash1IBM Thank you for the good news!

avinash1IBM commented 1 year ago

A new version is released to fix this vulnerability. So closing it as resolved.