Closed matthewdeanmartin closed 1 year ago
Hi @matthewdeanmartin,
Thanks for the report. It's an odd one - nothing leaps to mind as to what could be causing it. The latest set of tests on main ran on v0.23.0 of httpx for example I think
A few questions:
Thanks,
Michal
Shoot, sorry, eventlet is in the mix & it must be doing the monkey patching which makes it hard to see what is going on.
And I can't update to the latest eventlet because gunicorn's maintainer is on hiatus.
This issue can be closed, thanks!
Ah no problem - in fact keep the reports coming, it's nice to see that this is being used.
One workaround has crossed my mind: you can replace the httpx client with one that has a compatible API, so say using python requests. There isn't really documentation on this, but something like this might work:
from contextlib import contextmanager
import requests
from sqlite_s3_query import sqlite_s3_query
@contextmanager
def get_http_client():
class Response():
def __init__(self, response):
self.response = response
self.headers = response.headers
def iter_bytes(self):
yield from self.response.iter_content()
def raise_for_status(self):
return self.response.raise_for_status()
class Client():
def __init__(self, session):
self.session = session
@contextmanager
def stream(self, method, url, params, headers):
yield Response(self.session.request(method, url, params=params, headers=dict(headers)))
with requests.Session() as session:
yield Client(session)
with sqlite_s3_query(
url='https://my-bucket.s3.eu-west-2.amazonaws.com/my-db.sqlite',
get_http_client=get_http_client,
) as query:
with query('SELECT * FROM my_table WHERE my_column = ?', params=('my-value',)) as (columns, rows):
for row in rows:
print(row)
So this would allow you to keep the most recent httpx installed, so shouldn't get any alerts of vulnerabilities, but not use it, and instead use another http client that work better with the older version of eventlet
I honestly can't tell if this is a problem with the SSL packages install on my host, a problem with sqlite-s3-query, or a problem with httpx.
Eventlet got a similar call stack in a bug, but I'm not smart enough to know if it is relevant.
I'm posting this here because I got an error message and a not very good workaround. My host is AWS Linux.
So
safety
,pip-audit
and so on report the lower versions of httpx as insecure. But if I bump to the latest version I get a recursion error.