search

jazzband / django-oauth-toolkit

OAuth2 goodies for the Djangonauts!
https://django-oauth-toolkit.readthedocs.io
Other
3.16k stars 794 forks source link

Minor/patch release cycle with bugfixes #1478

Closed cristiprg closed 2 months ago

cristiprg commented 2 months ago

Hi! Do you have any plans to release another minor or patch version before the major upgrade to 3? There are a couple of smaller non-breaking fixes that would be great to have in, such as https://github.com/jazzband/django-oauth-toolkit/pull/1476 and https://github.com/jazzband/django-oauth-toolkit/pull/1465 which fixes this CVE. 🙏

n2ygk commented 2 months ago

I've pushed the date earlier and hope to publish the 3.0.0 version before then. I'm waiting on one or two last PR reviews. See https://github.com/jazzband/django-oauth-toolkit/milestone/35. It seems that oauthlib CVE can be dealt with now by upgrading oauthlib as the DOT 2.4.0 requirements are for oauthlib 3.1+ so 3.2.2+ is included in that. Given the dependency should be >=3.2.2 rather than >=3.2 as it was in #1465 it would be great if you were to submit a PR to push the version dependency to that level.

cristiprg commented 2 months ago

Thanks @n2ygk! Here's the PR to bump oauthlib https://github.com/jazzband/django-oauth-toolkit/pull/1481

cristiprg commented 2 months ago

@n2ygk sorry, I may have not asked the question clearly. What I'm interested is having those two PRs before a major release with breaking changes, in for example DOT 2.4.1 or 2.5.

The motivation is that they are not breaking changes, so there is no need to only include them in a major release (bundled up with other breaking changes)

n2ygk commented 2 months ago

That’s too much effort for me to have to create a branch and cherry pick intermediate commits.

On Thu, Sep 5, 2024 at 4:50 AM Cristian Prigoana @.***> wrote:

@n2ygk https://github.com/n2ygk sorry, I may have not asked the question clearly. What I'm interested is having those two PRs before a major release with breaking changes, in for example DOT 2.4.1 or 2.5.

The motivation is that they are not breaking changes, so there is no need to only include them in a major release

— Reply to this email directly, view it on GitHub https://github.com/jazzband/django-oauth-toolkit/issues/1478#issuecomment-2330962637, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABBHS5YUC4Q67CHUVFB3CB3ZVALLZAVCNFSM6AAAAABNT7X35WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMZQHE3DENRTG4 . You are receiving this because you were mentioned.Message ID: @.***>