search

bannsec / revenge

REVerse ENGineering Environment
57 stars 5 forks source link

Potential dependency conflicts between frida-util and frida #1

Closed NeolithEra closed 5 years ago

NeolithEra commented 5 years ago

Hi, as shown in the following full dependency graph of frida-util, frida-util requires frida (the latest version), while the installed version of frida-tools(2.0.2) requires frida<13.0.0,>=12.5.3.

According to Pip's “first found wins” installation strategy, frida 12.6.11 is the actually installed version.

Although the first found package version frida 12.6.11 just satisfies the later dependency constraint (frida<13.0.0,>=12.5.3), it will lead to a build failure once developers release a newer version of frida whose version number is greater than 13.0.0.

It'll be good if we just adjust the constraints (if possible) here, which can avoid potential dependency conflicts in the near future.

Dependency tree--------

frida-util<version range:>
| +-appdirs<version range:>
| +-bs4<version range:>
| | +-beautifulsoup4<version range:>
| +-colorama<version range:>
| +-frida<version range:>
| +-frida-tools<version range:>
| | +-colorama<version range:>=0.2.7,<1.0.0>
| | +-frida<version range:<13.0.0,>=12.5.3>
| | +-prompt-toolkit<version range:>=2.0.0,<3.0.0>
| | | +-pygments<version range:>
| | | +-six<version range:>=1.8.0>
| | | +-wcwidth<version range:>
| | +-pygments<version range:<3.0.0,>=2.0.2>
| +-pefile<version range:>
| | +-future<version range:>
| +-prettytable<version range:>
| +-psutil<version range:>
| +-pyelftools<version range:>
| +-requests<version range:>
| +-termcolor<version range:>

Thanks for your attention. Best, Neolith

NeolithEra commented 5 years ago

Suggestion:

  1. Fix your direct dependencies to be frida<13.0.0,>=12.5.3 and frida-tools==2.0.2, to remove this conflict. I have checked this revision will not affect your downstream projects now.

  2. Remove the direct dependency frida, then you can use this package transitively introduced by frida-tools.

@bannsec Which solution do you prefer, 1 or 2? Please let me know your choice, then I can submit a PR to fix it.

Thanks!

NeolithEra commented 5 years ago

@bannsec Could you help me review this issue?

bannsec commented 5 years ago

Thanks for the info. Wasn't actually using that dependency so i just removed it.