search

dbcli / mssql-cli

A command-line client for SQL Server with auto-completion and syntax highlighting
BSD 3-Clause "New" or "Revised" License
1.35k stars 192 forks source link

Please update the pip package dependencies #543

Open eabase opened 2 years ago

eabase commented 2 years ago

Many of the core python packages used in this package are outdated, and breaking most all new python 3.10 installations.

Please update the requirements and the related python code.

# pip list --outdated
Package        Version Latest Type
-------------- ------- ------ -----
cli-helpers    0.2.3   2.2.1  wheel
Click          7.0     8.1.0  wheel
prompt-toolkit 2.0.10  3.0.28 wheel
sqlparse       0.2.4   0.4.2  wheel

Related issues:

531

484

cwegener commented 2 years ago

Running pip install --upgrade cli-helpers after pip install mssqli-cli is how I was able to use mssql-cli on Python 3.10

ggt-steven-combs commented 2 years ago

I can't even use this because of the dependency issue. Is there a fork or a PR for this yet?

swells commented 2 years ago

It would be great if the deps could be updated due to the security vulnerability of the sqlparse version

We take a dependence on this package and our governed repositories scans for violations. dependency sqlparse==0.2.4 as a security violation.

StripComments filter contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service) The formatter function that strips comments from a SQL contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments.

Recommendation

Upgrade to version sqlparse - 0.4.2