Dependencies severely out of date (and vulnerable: CVEs) - Githubissues

bunq / sdk_python

Python SDK for bunq API

MIT License

106 stars 25 forks source link

Dependencies severely out of date (and vulnerable: CVEs) #121

Closed puckipedia closed 4 years ago

puckipedia commented 4 years ago

Steps to reproduce:

Try to install bunq_sdk with only the newest versions of the dependencies installed. (e.g. via the operating system's package manager)

What should happen:

bunq_sdk installs and is secure.

What happens:

Could not find a version that satisfies the requirement urllib3==1.21.1, among other issues
SDK version and environment
- Tested on 0.10.16 (y'all's issue template is wrong too)
  Extra info:
  
  in pycryptodome(x): CVE-2018-15560 (an AES crypto vuln) and so on have been fixed last year; but the dependencies are hard-coded to those of two years ago, meaning that any installation of the bunq python SDK is vulnerable.

angelomelonas commented 4 years ago

All dependencies were upgraded to latest in this pull request: https://github.com/bunq/sdk_python/pull/128