search

jurplel / install-qt-action

Install Qt on your Github Actions workflows with just one simple action
MIT License
455 stars 78 forks source link

aqtinstall 3.1.0 depends on py7zr>=0.20.2 #176

Closed Mte90 closed 1 year ago

Mte90 commented 1 year ago

Right now I get those error in the action:

The conflict is caused by:
    The user requested py7zr==0.19.*
    aqtinstall 3.1.3 depends on py7zr>=0.20.2
    The user requested py7zr==0.19.*
    aqtinstall 3.1.2 depends on py7zr>=0.20.2
    The user requested py7zr==0.19.*
    aqtinstall 3.1.1 depends on py7zr>=0.20.2
    The user requested py7zr==0.19.*
    aqtinstall 3.1.0 depends on py7zr>=0.20.2

Action: https://github.com/Mte90/GBAATM-Rebirth/actions/runs/4324938416/jobs/7550432001

I just changed the py7zr version to a major one to see if fix the issues.

ddalcino commented 1 year ago

Thank you for the report; this is a problem that install-qt-action should know how to solve on its own, and clearly it cannot.

As I understand it, this action sets the default version of py7zr to 0.19.*, to prevent problems that some users had installing or using other versions of that dependency. I think these problems were common with earlier versions of aqtinstall, and this version of py7zr appears to fix them. I don't know if these problems still exist; I haven't seen them in a long time.

AFAICT, aqtinstall bumped up to pyz7r>=0.20.2 with release 3.1.0 for security reasons; the commit message for https://github.com/miurahr/aqtinstall/commit/998b93e043e9eb98ec7f326030df79735d1da41e mentions fixes for path traversal and symlink attacks. According to https://github.com/miurahr/py7zr/releases/tag/v0.19.2, these fixes were backported, so py7zr==0.19.* should be perfectly safe to use.

The immediate cause of this problem is the code below. When pip install is called in this way, the py7zr and aqtinstall versions must be compatible with each other, otherwise the command will fail as seen above. https://github.com/jurplel/install-qt-action/blob/05e8c481b81eeb51e01cd319fa2523a154054028/action/src/main.ts#L300-L305

As far as possible fixes for this problem, I can think of 3:

  1. Globally bump the default py7zr to "0.20.*". This solution will fail the next time aqtinstall bumps up its required version of py7zr.
  2. Conditionally set the default py7zr based on the aqtinstall version. I expect this solution to get very messy over time.
  3. Keep the same default value, and split the pip install command into two calls: pip install "py7zr${inputs.py7zrVersion}" && pip install "aqtinstall${inputs.aqtVersion}". This will install whatever the default or requested version is, and it will keep it if it's compatible with aqtinstall. If the requested aqtinstall is not compatible, it will replace that py7zr with whatever version aqtinstall requests.

Personally, I prefer option 3.

ddalcino commented 1 year ago

Ok, this issue has been open long enough with no further comment. I have implemented option 3 described above in PR #178. Hope that works for you.

jurplel commented 1 year ago

Excellent work, I sincerely apologize for not getting to this sooner. Feel free to message me on Discord (linked on my profile) to bug me about urgent things like this. Things get lost in my backlog of emails that I often only have time to fully get through at the end of a semester.