search

aws / aws-elastic-beanstalk-cli

The EB CLI is a command line interface for Elastic Beanstalk that provides interactive commands that simplify creating, updating and monitoring environments from a local repository.
Apache License 2.0
161 stars 79 forks source link

Please do a release to resolve security issue with `requests` #416

Closed dennisjlee closed 1 year ago

dennisjlee commented 1 year ago

Description

The requests library recently had a vulnerability disclosed https://github.com/advisories/GHSA-j8r2-6x86-q33q, causing GitHub Dependabot to nag us.

The dependency change in aws-elastic-beanstalk-cli has already been made (#410). Please make a new release to PyPi so that downstream users of aws-elastic-beanstalk-cli can upgrade requests.

Steps to reproduce

Try to install the latest version of awsebcli and requests in the same environment: pip install awsebcli==3.20.6 requests==2.31.0

Observed result

 $ pip install awsebcli==3.20.6 requests==2.31.0
Collecting awsebcli==3.20.6
  Using cached awsebcli-3.20.6.tar.gz (268 kB)
  Preparing metadata (setup.py) ... done
Collecting requests==2.31.0
  Using cached requests-2.31.0-py3-none-any.whl (62 kB)
Collecting botocore<1.29.100,>1.23.41
  Downloading botocore-1.29.99-py3-none-any.whl (10.5 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 10.5/10.5 MB 11.3 MB/s eta 0:00:00
Collecting cement==2.8.2
  Using cached cement-2.8.2.tar.gz (165 kB)
  Preparing metadata (setup.py) ... done
Collecting colorama<0.4.4,>=0.2.5
  Using cached colorama-0.4.3-py2.py3-none-any.whl (15 kB)
Collecting pathspec==0.10.1
  Using cached pathspec-0.10.1-py3-none-any.whl (27 kB)
Collecting python-dateutil<3.0.0,>=2.1
  Using cached python_dateutil-2.8.2-py2.py3-none-any.whl (247 kB)
ERROR: Cannot install awsebcli==3.20.6 and requests==2.31.0 because these package versions have conflicting dependencies.

The conflict is caused by:
    The user requested requests==2.31.0
    awsebcli 3.20.6 depends on requests<=2.26 and >=2.20.1

To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip attempt to solve the dependency conflict

ERROR: ResolutionImpossible: for help visit https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-dependency-conflicts

Expected result

The packages should be compatible.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

  1. OS: Windows 11
  2. EBCLI version: 3.20.6
jamison-lahman-ai commented 1 year ago

Also blocked here. Currently building from source as a workaround,

pip install git+https://github.com/aws/aws-elastic-beanstalk-cli.git@9140d08

but would appreciate an official release.

dennisjlee commented 1 year ago

@Mickeypeng thank you for your PR last month updating the requests dependency. Would you be able to help us get a release out for this library please?

NihalM99 commented 1 year ago

Updated the release to Pypi , resolving .