Open joelvdavies opened 1 month ago
joelvdavies
commented
1 month ago Another thing I just noticed FastAPI has
"starlette>=0.37.2,<0.39.0",but the requirements.txt is now being updated by dependabot - so it wont care when it should.
Pip would probably complain during the build though.
joelvdavies
commented
1 month ago Also see https://github.com/ral-facilities/object-storage-api/pull/10#issuecomment-2368049630. Some dependencies may come from just the OS its being installed on (in this case it seems its an optional one https://stackoverflow.com/questions/70731019/is-it-impossible-developing-with-fastapi-uvloop-windows) but there could be cases where one requirements file for all OS's doesn't work.
joelvdavies
commented
1 month ago Another thing I just noticed FastAPI has
"starlette>=0.37.2,<0.39.0",but the requirements.txt is now being updated by dependabot - so it wont care when it should.
Pip would probably complain during the build though.
On https://github.com/ral-facilities/object-storage-api/pull/13, it could be tested by looking at the unit test CI. (Once some unit tests are added)
joelvdavies
commented
1 month ago It does complain see: https://github.com/ral-facilities/object-storage-api/pull/24
It errored on the unit tests during install.
joelvdavies
commented
2 weeks ago Today had this repo picking up a starlette cve: https://avd.aquasec.com/nvd/2024/cve-2024-47874/. ims-api did not show the same due to github not seeing it as a dependency, but it was picked up by Trivy on Harbor (which is where I first noticed it).
On ims-api and ldap-jwt-auth we don't pin sub-dependencies. There are cases where this could cause issues e.g. docker builds installing different dependencies when tags are pushed, or depndabot failing to notify us of security issues. However using a requirments.txt also has issues e.g. when sub dependencies are added/removed in new versions leading to an invalid requirements.txt. Equally where others suggest using poetry, we are not very keen on it complicating setup.
In #2 I am adding a requirements.txt to test it out, but we should re-evaluate this later and decide whether to revert the change, find a different solution or apply it to ims-api and ldap-jwt-auth.