Closed benzkji closed 8 months ago
This has been reported at https://github.com/SmileyChris/easy-thumbnails/issues/591. The next release of easy-thumbnails will make SVG support optional: https://github.com/SmileyChris/easy-thumbnails/pull/597. Could SVG support be optional in django-filer?
would make sense.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
not stale at all.
easy_thumbnails 2.8.2 has been released the 31th july and introduces optional SVG support. As django-filer does not pinned this dependency and does not install easy_thumbnails[svg]
, this update has broken my project based on django-filer.
As a quick workaround, I can add easy_thumbnails[svg]
to my project dependencies but I think it would be better if django-filer manages this issue.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
still not stale?
From my side, the issue has been solved with https://github.com/django-cms/django-filer/pull/1305.
the original issue was about security tools reporting reportlab as a security risk. depending on the project, you may not be allowed to install reportlab. so, for me the question that remains is: will filer also allow an installation without reportlab? I could totally understand if this is not a goal, though.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This will now be closed due to inactivity, but feel free to reopen it.
Running into this dependency issue with django-filer 3.1.0
Tough, if you want your SVG uploaded as "File", not as "Image", I guess you'll be out of luck.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
In filer 3.x plus SVG can be fully deactivated.
wasn't easythumbnails[svg] explicitly added to filer's dependencies ( https://github.com/django-cms/django-filer/blob/master/setup.py#L10 )? For me that's ok...I could still disable SVG uploads, via settings. The original issue was about the safety check
and it's report of reportlab as a security risk. But that seems gone.
I use the safety package to check all of my dependencies used in a project. Since filer 2.1,
reportlab
is a dependency, as I know, used to transform svgs.I found: - the still relevant CVE is "Server-side Request Forgery (SSRF) via img tags", not a critical issue, but if your organization requires a strict "no-CVE" policy, this could be a problem?
Is reportlab really required? Probably yes. So, we woule need to live with it, I guess?