-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] Request for bumping up urllib3 version in previous opensearch-py functions #516
Comments
If #518 goes through, can't you bump the version of opensearch-py you're depending on in opensearch-benchmark? |
Hello @AkshathRaghav and @IanHoang, I've merged the changes to the main branch. Now, we have a few more steps to complete:
|
I assume you mean changing old versions of opensearch-py? I would propose that's not necessary since dependent projects can bump the version they depend on.
I assume you mean branches of opensearch-py? |
@wbeckler @saimedhi To clarify, based on releasing guide and since OSB is using opensearch-py 2.2.0, we should cherry-pick the commit (#518) from main onto 2.X and put out a PR with |
Hello @IanHoang, after a thoughtful discussion with wbeckler, we've decided to release a new opensearch-py version that incorporates the changes from PR #518. Following the release, please consider updating opensearch-benchmark to use this latest opensearch-py version. We believe this approach is the most effective, and we kindly request your comment on the issue, expressing your desire to release opensearch-py 2.3.2. |
Is your feature request related to a problem?
An issue was discovered in urllib3 before 1.26.5: when provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. This request is for opensearch-benchmark.
What solution would you like?
Bumping up the urllib3 version from >=1.21.1 to >= 1.26.5 in previous releases of opensearch-py specifically 2.2.0 and 1.0.0, which are used by opensearch-benchmark versions 1.1 and 1.0.
What alternatives have you considered?
I could hardcode it in the
setup.py
in opensearch-benchmarks so that it installs the correct version after it installs opensearch-pyhttps://github.com/opensearch-project/opensearch-benchmark/blob/5a99b0770ab3a0df4145e76f3cacb95dd8118073/setup.py#L61
Do you have any additional context?
Not really. This is just a request, and the issue can be handled easily if denied.
The text was updated successfully, but these errors were encountered: