search

mdz / python-smarttub

Python API for SmartTub enabled hot tubs
MIT License
6 stars 9 forks source link

Update aiohttp constraint #18

Closed fabaff closed 2 years ago

fabaff commented 2 years ago

aiohttp-3.8.0 was released a while ago. aiohttp >= 3.7.4 to avoid CVE-2021-21330

mdz commented 2 years ago

Hi Fabian,

Thank you for the patch!

According to https://github.com/advisories/GHSA-v6wp-4m6f-gcjg, CVE-2021-21330 is a vulnerability in the aiohttp HTTP server middleware. python-smarttub only uses aiohttp.ClientSession, so I don't think this vulnerability applies to this library.

fabaff commented 2 years ago

Good to know that CVE-2021-21330 is not an issue.

For the distribution packages (e.g., NixOS) it would still require that the constraint is relaxed.

mdz commented 2 years ago

Can you help me understand why a change is required for NixOS? The current dependency spec is compatible with 3.7.4.

$ python3 -m venv venv
$ . venv/bin/activate
$] pip3 install aiohttp==3.7.4 python-smarttub
Collecting aiohttp==3.7.4
  Downloading aiohttp-3.7.4-cp39-cp39-macosx_10_14_x86_64.whl (649 kB)
     |████████████████████████████████| 649 kB 15.0 MB/s 
Collecting python-smarttub
  Downloading python-smarttub-0.0.27.tar.gz (12 kB)
Collecting attrs>=17.3.0
  Using cached attrs-21.2.0-py2.py3-none-any.whl (53 kB)
Collecting yarl<2.0,>=1.0
  Downloading yarl-1.7.2-cp39-cp39-macosx_10_9_x86_64.whl (121 kB)
     |████████████████████████████████| 121 kB 2.7 MB/s 
Collecting typing-extensions>=3.6.5
  Downloading typing_extensions-4.0.0-py3-none-any.whl (22 kB)
Collecting multidict<7.0,>=4.5
  Downloading multidict-5.2.0-cp39-cp39-macosx_10_9_x86_64.whl (45 kB)
     |████████████████████████████████| 45 kB 10.4 MB/s 
Collecting chardet<4.0,>=2.0
  Using cached chardet-3.0.4-py2.py3-none-any.whl (133 kB)
Collecting async-timeout<4.0,>=3.0
  Using cached async_timeout-3.0.1-py3-none-any.whl (8.2 kB)
Collecting inflection~=0.5.1
  Using cached inflection-0.5.1-py2.py3-none-any.whl (9.5 kB)
Collecting pyjwt~=2.1.0
  Using cached PyJWT-2.1.0-py3-none-any.whl (16 kB)
Collecting python-dateutil~=2.8.1
  Downloading python_dateutil-2.8.2-py2.py3-none-any.whl (247 kB)
     |████████████████████████████████| 247 kB 16.3 MB/s 
Collecting idna>=2.0
  Downloading idna-3.3-py3-none-any.whl (61 kB)
     |████████████████████████████████| 61 kB 18.7 MB/s 
Collecting six>=1.5
  Using cached six-1.16.0-py2.py3-none-any.whl (11 kB)
Using legacy 'setup.py install' for python-smarttub, since package 'wheel' is not installed.
Installing collected packages: attrs, multidict, idna, yarl, typing-extensions, chardet, async-timeout, aiohttp, inflection, pyjwt, six, python-dateutil, python-smarttub
    Running setup.py install for python-smarttub ... done
Successfully installed aiohttp-3.7.4 async-timeout-3.0.1 attrs-21.2.0 chardet-3.0.4 idna-3.3 inflection-0.5.1 multidict-5.2.0 pyjwt-2.1.0 python-dateutil-2.8.2 python-smarttub-0.0.27 six-1.16.0 typing-extensions-4.0.0 yarl-1.7.2
fabaff commented 2 years ago

Because NIxOS and other distributions are shipping aiohttp 3.7.4 or later already. The current constraint prevent one from using 3.8.0 and make the build fail. Home Assistant has moved to aiohttp 3.8.0. The HA requirements have priority in the venv, thus, aiohttp~=3.7.3 will be ignored most likely.

The current dependency spec is compatible with 3.7.4

Yes, it is but not with 3.8.0 and above.

mdz commented 2 years ago

I see, thank you. I'll get this merged and released once I figure out how to cause the CI checks to run

mdz commented 2 years ago

For some reason, the CI checks aren't running, nor is there a prompt for approval to run them. I'll submit the changes under a new PR

mdz commented 2 years ago

See #19 and https://github.com/home-assistant/core/pull/60391

fabaff commented 2 years ago

Thanks