We have a dependabot alert about the python cryptography library in our application due to CVE-2024-6119 in OpenSSL. The cryptography library must be updated to version 43.0.1 to be able to resolve the issue, but auth0-python restricts the cryptography version to ~=42.0.4 (^42.0.4 in poetry syntax).
This sort of vulnerability crops up all the time in cryptography, requiring cryptography to be updated. It seems like there is little benefit to enforcing an upper-bound on the version of cryptography (or any dependency in general, really), whereas the cost is that any time a CVE is created impacting the cryptography package, we might have to wait for an update to auth0-python before we can resolve the security alerts on our end.
Reproduction
$ python3 -m venv venv
$ venv/bin/pip install 'auth0-python>=4.5' 'cryptography>=43.0.1'
Looking in indexes: https://artifactory.local.23andme.net/artifactory/api/pypi/pypi/simple
Collecting auth0-python>=4.5
Using cached https://artifactory.local.23andme.net/artifactory/api/pypi/pypi/packages/packages/94/41/6a371c2bfa0ada31683133465ba6d51a1e30f1398ebe61e0c8668dde0037/auth0_python-4.7.1-py3-none-any.whl (131 kB)
Collecting cryptography>=43.0.1
Using cached https://artifactory.local.23andme.net/artifactory/api/pypi/pypi/packages/packages/8a/b6/bc54b371f02cffd35ff8dc6baba88304d7cf8e83632566b4b42e00383e03/cryptography-43.0.1-cp39-abi3-macosx_10_9_universal2.whl (6.2 MB)
Collecting aiohttp<4.0.0,>=3.8.5 (from auth0-python>=4.5)
Using cached https://artifactory.local.23andme.net/artifactory/api/pypi/pypi/packages/packages/8f/f7/971f88b4cdcaaa4622925ba7d86de47b48ec02a9040a143514b382f78da4/aiohttp-3.10.5-cp312-cp312-macosx_11_0_arm64.whl (389 kB)
INFO: pip is looking at multiple versions of auth0-python to determine which version is compatible with other requirements. This could take a while.
Collecting auth0-python>=4.5
Using cached https://artifactory.local.23andme.net/artifactory/api/pypi/pypi/packages/packages/88/7b/debb2820b785f14c5770d6cafe61b10c7df9029832ff2bdafe51d3f2f235/auth0_python-4.7.0-py3-none-any.whl (131 kB)
Using cached https://artifactory.local.23andme.net/artifactory/api/pypi/pypi/packages/packages/73/1b/3f4eb3e4aa1a5a47d20df31bb16c5d46dc68c9969412f36df51d83d295ab/auth0_python-4.6.1-py3-none-any.whl (130 kB)
Using cached https://artifactory.local.23andme.net/artifactory/api/pypi/pypi/packages/packages/b4/ba/f14c8ceede95b10828b636a4c6a3e0f0d81c5d4af7c3fa906144091093af/auth0_python-4.6.0-py3-none-any.whl (130 kB)
Using cached https://artifactory.local.23andme.net/artifactory/api/pypi/pypi/packages/packages/50/27/6fce8da4f6db7c799279979e44fd93da0168f0d27641256702ddfbb3a62b/auth0_python-4.5.0-py3-none-any.whl (129 kB)
ERROR: Cannot install auth0-python==4.5.0, auth0-python==4.6.0, auth0-python==4.6.1, auth0-python==4.7.0, auth0-python==4.7.1 and cryptography>=43.0.1 because these package versions have conflicting dependencies.
The conflict is caused by:
The user requested cryptography>=43.0.1
auth0-python 4.7.1 depends on cryptography<43.0.0 and >=42.0.4
The user requested cryptography>=43.0.1
auth0-python 4.7.0 depends on cryptography<42.0.0 and >=41.0.5
The user requested cryptography>=43.0.1
auth0-python 4.6.1 depends on cryptography<42.0.0 and >=41.0.5
The user requested cryptography>=43.0.1
auth0-python 4.6.0 depends on cryptography<42.0.0 and >=41.0.5
The user requested cryptography>=43.0.1
auth0-python 4.5.0 depends on cryptography<42.0.0 and >=41.0.3
To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip attempt to solve the dependency conflict
ERROR: ResolutionImpossible: for help visit https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-dependency-conflicts
[notice] A new release of pip is available: 24.0 -> 24.2
[notice] To update, run: python3.12 -m pip install --upgrade pip
ngfeldman
commented
1 month ago
Description
We have a dependabot alert about the python
cryptographylibrary in our application due to CVE-2024-6119 in OpenSSL. Thecryptographylibrary must be updated to version 43.0.1 to be able to resolve the issue, butauth0-pythonrestricts thecryptographyversion to~=42.0.4(^42.0.4in poetry syntax).This sort of vulnerability crops up all the time in
cryptography, requiringcryptographyto be updated. It seems like there is little benefit to enforcing an upper-bound on the version ofcryptography(or any dependency in general, really), whereas the cost is that any time a CVE is created impacting thecryptographypackage, we might have to wait for an update toauth0-pythonbefore we can resolve the security alerts on our end.Reproduction
Environment
auth0-pythonversions 4.5 and highercryptographyversions 43.0.0 and higher