-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CT-2859] [Feature] dbt-postgres should allow patch versions of dbt-core #8185
Comments
Apologies, should've been a feature, not a bug. I am unable to edit the label. |
This is blocking users from being able to resolve this moderate security vulnerability: GHSA-rrm6-wvj7-cwh2 |
Upon further investigation, this is totally just my user error. While it is still true that the other plugins have more relaxed version requirements, this is fine because it appears dbt-postgres releases in lockstep (1.5.3 supports 1.5.3 of dbt-core). Meaning this is not an issue. |
Is this your first time submitting a feature request?
Describe the feature
v1.5.0 of
dbt-postgres
will pin specifically to v1.5.0 of dbt-core:dbt-core/plugins/postgres/setup.py
Line 72 in ff5cb7b
Whereas all the other plugings (e.g., dbt-redshift, dbt-bigquery, etc) allow patch versions (i.e., >=1.5.0,<1.6.0).
https://github.com/dbt-labs/dbt-bigquery/blob/1f80a200a127a2a107be6cb92d2de130f8907ea9/setup.py#L38-L77
This is unfortunate because some patch releases like 1.5.3 include fixes for security vulnerabilities: https://github.com/dbt-labs/dbt-core/releases/tag/v1.5.3, #7515
Currently, if a user also uses dbt-postgres in their project, despite the new dbt-core release, we cannot get the new patch.
Describe alternatives you've considered
No alternatives that I can see.
Who will this benefit?
All users of dbt-core who want to update to a non-vulnerable sqlparse version and are also using dbt-postgres.
Are you interested in contributing this feature?
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: