wbeckler
commented
1 year ago If https://github.com/opensearch-project/opensearch-py/pull/518 goes through, can't you bump the version of opensearch-py you're depending on in opensearch-benchmark?
Closed AkshathRaghav closed 1 year ago
wbeckler
commented
1 year ago If https://github.com/opensearch-project/opensearch-py/pull/518 goes through, can't you bump the version of opensearch-py you're depending on in opensearch-benchmark?
saimedhi
commented
1 year ago saimedhi
commented
1 year ago Hello @AkshathRaghav and @IanHoang, I've merged the changes to the main branch. Now, we have a few more steps to complete:
Similar changes should be merged into other branches needed by opensearch-benchmarks. Please note: Check the noxfile.py in the corresponding branches to confirm the Python versions it uses and ensure they are supported by urllib3 1.26.5.
Release patch versions for the corresponding branches.
wbeckler
commented
1 year ago
- Similar changes should be merged into other branches needed by opensearch-benchmarks. Please note: Check the noxfile.py in the corresponding branches to confirm the Python versions it uses and ensure they are supported by urllib3 1.26.5.
I assume you mean changing old versions of opensearch-py? I would propose that's not necessary since dependent projects can bump the version they depend on.
- Release patch versions for the corresponding branches.
I assume you mean branches of opensearch-py?
IanHoang
commented
1 year ago @wbeckler @saimedhi To clarify, based on releasing guide and since OSB is using opensearch-py 2.2.0, we should cherry-pick the commit (#518) from main onto 2.X and put out a PR with patch and backport labels?
saimedhi
commented
1 year ago Hello @IanHoang, after a thoughtful discussion with wbeckler, we've decided to release a new opensearch-py version that incorporates the changes from PR #518. Following the release, please consider updating opensearch-benchmark to use this latest opensearch-py version. We believe this approach is the most effective, and we kindly request your comment on the issue, expressing your desire to release opensearch-py 2.3.2.
IanHoang
commented
1 year ago Thanks @saimedhi and @wbeckler!
Is your feature request related to a problem?
An issue was discovered in urllib3 before 1.26.5: when provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. This request is for opensearch-benchmark.
What solution would you like?
Bumping up the urllib3 version from >=1.21.1 to >= 1.26.5 in previous releases of opensearch-py specifically 2.2.0 and 1.0.0, which are used by opensearch-benchmark versions 1.1 and 1.0.
What alternatives have you considered?
I could hardcode it in the
setup.pyin opensearch-benchmarks so that it installs the correct version after it installs opensearch-py https://github.com/opensearch-project/opensearch-benchmark/blob/5a99b0770ab3a0df4145e76f3cacb95dd8118073/setup.py#L61Do you have any additional context?
Not really. This is just a request, and the issue can be handled easily if denied.