securisec / chepy

Chepy is a python lib/cli equivalent of the awesome CyberChef tool.
GNU General Public License v3.0
934 stars 54 forks source link

Possible to not freeze dependencies? #30

Closed QuentiumYT closed 1 year ago

QuentiumYT commented 1 year ago

Hello, I would like to know if chepy's dependencies can be a range instead of a strict version. I know I'm not using venv, but probably not a lot of people uses venv for this kind of global tool. I often update my global dependencies and chepy is one of the most problematic regarding conflicts. I recommend using major version range i.e. >1,<2. Thanks for this project :)

securisec commented 1 year ago

Thank you for the kind words!

Was there a particular set of dependencies that is causing you issues? Chepy uses a very small hand full of pinned dependencies because newer or older versions tends to break how Chepy functions. If there are specific deps that are causing conflicts, I can take a look at them. As an example, the pyjwt dependency will be very hard to replace because that version provides some insecure functions that are used for the jwt methods in Chepy. Updating that dependency will break functionality of Chepy.

QuentiumYT commented 1 year ago

I see, well this was especially for pyjwt, used in some of my projects. I understand that the older version contains some insecure code (I did a bit of root me with this version as well haha). My guess is to "move" some part of the code, if it's possible to your repository (including code LICENSE maybe). I can look into that if it's not too huge. I don't know about the other packages, but I got your point, even if it's not a great thing to keep old dependencies ^^ maybe there is a way to port them idk. Anyway, I can look on my end to not update chepy's dependencies but not really great for some other projects using newer versions.

QuentiumYT commented 1 year ago

I tried to skip old checks etc from the latest pyjwt but it didn't worked, the test for decoding the token is wrong. I guess something internal changed. The only solution is to embed the old PyJWT or debug further into the new code :p

securisec commented 1 year ago

The test is not wrong. It is a change in the internals for pyjwt which is why the latest pyjwt fails the test. The best I can say is either run chepy in a venv, or your projects in a venv. The problem you are facing is not exactly a chepy issue with deps, but an overall python issue because issues like this can apply to any python project.

QuentiumYT commented 1 year ago

I see, that's what I experienced while trying to use PyJWT 2. You are right about the global dependencies, but most of the time, a package should look for latest requirements. Chepy is a special project for that :) Anyway, thanks for looking into that