Closed Mte90 closed 1 year ago
Thank you for the report; this is a problem that install-qt-action
should know how to solve on its own, and clearly it cannot.
As I understand it, this action sets the default version of py7zr
to 0.19.*
, to prevent problems that some users had installing or using other versions of that dependency. I think these problems were common with earlier versions of aqtinstall
, and this version of py7zr appears to fix them. I don't know if these problems still exist; I haven't seen them in a long time.
AFAICT, aqtinstall
bumped up to pyz7r>=0.20.2
with release 3.1.0 for security reasons; the commit message for https://github.com/miurahr/aqtinstall/commit/998b93e043e9eb98ec7f326030df79735d1da41e mentions fixes for path traversal and symlink attacks. According to https://github.com/miurahr/py7zr/releases/tag/v0.19.2, these fixes were backported, so py7zr==0.19.*
should be perfectly safe to use.
The immediate cause of this problem is the code below. When pip install
is called in this way, the py7zr
and aqtinstall
versions must be compatible with each other, otherwise the command will fail as seen above.
https://github.com/jurplel/install-qt-action/blob/05e8c481b81eeb51e01cd319fa2523a154054028/action/src/main.ts#L300-L305
As far as possible fixes for this problem, I can think of 3:
aqtinstall
bumps up its required version of py7zr
.aqtinstall
version. I expect this solution to get very messy over time.pip install
command into two calls: pip install "py7zr${inputs.py7zrVersion}" && pip install "aqtinstall${inputs.aqtVersion}"
. This will install whatever the default or requested version is, and it will keep it if it's compatible with aqtinstall
. If the requested aqtinstall
is not compatible, it will replace that py7zr
with whatever version aqtinstall
requests.Personally, I prefer option 3.
Ok, this issue has been open long enough with no further comment. I have implemented option 3 described above in PR #178. Hope that works for you.
Excellent work, I sincerely apologize for not getting to this sooner. Feel free to message me on Discord (linked on my profile) to bug me about urgent things like this. Things get lost in my backlog of emails that I often only have time to fully get through at the end of a semester.
Right now I get those error in the action:
Action: https://github.com/Mte90/GBAATM-Rebirth/actions/runs/4324938416/jobs/7550432001
I just changed the py7zr version to a major one to see if fix the issues.