can we loosen the urllib3 requirement? #27
Comments
|
Good catch on the In regards to the AWS Auth, are you proposing that we release a new package entirely? |
No, I was thinking something along the lines of package extras so a statement like pip install infisicalsdk would install the package core functionality (say, only relies on requests). Then a statement like: pip install infisicalsdk[aws]would install the extras like botocore that are required for AWS auth. Appreciate this might not be a route you want to go down though given it would introduce a breaking change https://packaging.python.org/en/latest/specifications/dependency-specifiers/#extras
Just urllib3, thanks for the response and confirming it's not a hard req |
|
Versions >=2.0.0a1,<= 2.2.1 are affected by CVE-2024-37891, and another package of mine (types-requests) is pinned to >=2. Between these two packages, I am unable to use an unaffected version of urllib3. This is probably low risk, but given that the CVE is from June 17, 2024, this needs to be updated/opened up. |
The urllib3 requirement is rather restrictive given that it's only direct usage seems to be here
Would it be possible to unpin this requirement and allow it to follow the conventions of the botocore library?
https://github.com/boto/botocore/blob/33ef2f747f5cd794018ece3eda4d3908c869ba80/setup.py#L31-L32
In addition, would you be open to including the AWS Auth features as a package extra rather than being included in the core lib (happy to put in a PR). That way the core functionality of this library can depend on as little as possible.
We'd like to use this SDK, but with the current requirements it has pinned it's not possible and we need to revert to using requests.
The text was updated successfully, but these errors were encountered: