Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix dependency versions for pytz and platformdirs (and other deps) #1368

Open
jwhance opened this issue Mar 27, 2023 · 1 comment
Open

Fix dependency versions for pytz and platformdirs (and other deps) #1368

jwhance opened this issue Mar 27, 2023 · 1 comment

Comments

@jwhance
Copy link

jwhance commented Mar 27, 2023
edited
Loading

Please provide the following information:

  1. The version of zeep: 4.2.1
  2. The WSDL you are using: N/A
  3. And most importantly, a runnable example script which exposes the problem: N/A

The problem is that my company uses Nexus to scan for vulnerabilities and one check that is enabled is "minimum age policy". When dependencies have no version specified or a ">=" version, pip pulls the latest dependency version even if Zeep itself is unchanged. This leads to an indeterminate runtime and also breaks our pipelines when new versions of Zeep's dependencies are released.

Apart from forking Zeep, which I don't want to do, there is no recourse but to wait it out which is very counterproductive.

Recommend updating Zeep's dependencies to include "==" versions for all dependencies so that a stable release can be obtained.

For example, instead of this insetup.py:

install_requires = [
    "attrs>=17.2.0",
    "cached-property>=1.3.0; python_version<'3.8'",
    "isodate>=0.5.4",
    "lxml>=4.6.0",
    "platformdirs>=1.4.0",
    "requests>=2.7.0",
    "requests-toolbelt>=0.7.1",
    "requests-file>=1.5.1",
    "pytz",
]

Use this instead:

install_requires = [
    "attrs==22.2.0",
    "cached-property==1.3.0; python_version<'3.8'",
    "isodate==0.6.1",
    "lxml==4.9.2",
    "platformdirs==3.1.1",
    "requests==2.28.2",
    "requests-toolbelt==0.10.1",
    "requests-file==1.5.1",
    "pytz==2022.7.1",
]
@jwhance jwhance changed the title Fix dependency versions for pytz and platformdirs Fix dependency versions for pytz and platformdirs (and other deps) Mar 27, 2023
@FelixSchwarz
Copy link

Apart from forking Zeep, which I don't want to do, there is no recourse but to wait it out which is very counterproductive.

Recommend updating Zeep's dependencies to include "==" versions for all dependencies so that a stable release can be obtained.

Just a personal opinion but I think that is not a good idea for an open source library like zeep. Scanning code without looking at the deployed environment is just security charade from my point of view.

If you want repeatable deployments, in my opinion you should either

  • only install versions from custom repos (= hosting all dependencies in a private repo) or
  • you need to create a custom requirements.txt file containing also dependency hashes, not just versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FelixSchwarz @jwhance