search

JordyZomer / autoSubTakeover

A tool used to check if a CNAME resolves to the scope address. If the CNAME resolves to a non-scope address it might be worth checking out if subdomain takeover is possible.
MIT License
130 stars 39 forks source link

Potential dependency conflicts between autosubtakeover and idna #6

Open NeolithEra opened 4 years ago

NeolithEra commented 4 years ago

Hi, as shown in the following full dependency graph of autosubtakeover, tldextract requires *_idna _ , while the installed version of requests(2.22.0) requires _idna >=2.5,<2.9**_.

According to Pip's “first found wins” installation strategy, idna 2.8 is the actually installed version.

Although the first found package version idna 2.8 just satisfies the later dependency constraint (idna >=2.5,<2.9), it will lead to a build failure once developers release a newer version of idna.

Dependency tree--------


autosubtakeover - 0.1
| +- aiodns(install version:2.0.0 version range:*)
| | +- pycares(install version:3.0.0 version range:>=3.0.0)
| | | +- cffi(install version:1.13.2 version range:>=1.5.0)
| | +- typing(install version:3.7.4.1 version range:*)
| +- asyncio(install version:3.4.3 version range:*)
| +- click(install version:7.0 version range:*)
| +- pycares(install version:3.0.0 version range:*)
| | +- cffi(install version:1.13.2 version range:>=1.5.0)
| +- tldextract(install version:2.2.2 version range:*)
| | +- idna(install version:2.8 version range:*)
| | +- requests(install version:2.22.0 version range:>=2.1.0)
| | | +- certifi(install version:2019.9.11 version range:>=2017.4.17)
| | | +- chardet(install version:3.0.4 version range:<3.1.0,>=3.0.2)
| | | +- idna(install version:2.8 version range:>=2.5,<2.9)
| | | +- urllib3(install version:1.25.7 version range:<1.26,>=1.21.1)
| | +- requests-file(install version:1.4.3 version range:>=1.4)
| | | +- requests(install version:2.22.0 version range:>=1.0.0)
| | | | +- certifi(install version:2019.9.11 version range:>=2017.4.17)
| | | | +- chardet(install version:3.0.4 version range:<3.1.0,>=3.0.2)
| | | | +- idna(install version:2.8 version range:>=2.5,<2.9)
| | | | +- urllib3(install version:1.25.7 version range:<1.26,>=1.21.1)
| | | +- six(install version:1.13.0 version range:*)
| | +- setuptools(install version:42.0.1 version range:*)
| +- tornado(install version:6.0.3 version range:*)

Thanks for your attention. Best, Neolith

NeolithEra commented 4 years ago

Suggested Solution

  1. Ask your upstream project tldextract to fix his direct dependencies to be idna <2.9.
  2. Ask your upstream project requests to lose the version range of idna to be >=2.5.

@JordyZomer Which solution do you prefer, 1 or 2? Please let me know your choice. May I pull a request to solve this issue?