Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Project dependencies may have API risk issues #509

Open
PyDeps opened this issue Oct 25, 2022 · 0 comments
Open

Project dependencies may have API risk issues #509

PyDeps opened this issue Oct 25, 2022 · 0 comments

Comments

@PyDeps
Copy link

PyDeps commented Oct 25, 2022

Hi, In ADL_LRS, inappropriate dependency versioning constraints can cause risks.

Below are the dependencies and version constraints that the project is using

Django==3.2.13
amqp==5.0.9
bcoding==1.5
celery==5.2.3
django-cors-headers==3.10.1
django-jsonify==0.3.0
django-recaptcha==3.0.0
isodate==0.6.1
oauth2==1.9.0.post1
psycopg2==2.9.3
pycryptodome==3.12.0
python-jose==3.3.0
pytz==2021.3
requests==2.26.0
rfc3987==1.3.8
supervisor==4.2.3

The version constraint == will introduce the risk of dependency conflicts because the scope of dependencies is too strict.
The version constraint No Upper Bound and * will introduce the risk of the missing API Error because the latest version of the dependencies may remove some APIs.

After further analysis, in this project,
The version constraint of dependency amqp can be changed to >=1.2.0,<=5.1.1.
The version constraint of dependency oauth2 can be changed to >=1.0.0,<=1.0.9.
The version constraint of dependency oauth2 can be changed to >=1.1.1,<=1.2.0.
The version constraint of dependency oauth2 can be changed to ==1.9.0.post1.
The version constraint of dependency python-jose can be changed to >=0.5.2,<=3.3.0.
The version constraint of dependency requests can be changed to >=0.2.1,<=0.2.3.
The version constraint of dependency requests can be changed to >=0.7.0,<=2.24.0.
The version constraint of dependency requests can be changed to ==2.26.0.
The version constraint of dependency rfc3987 can be changed to >=1.3.5,<=1.3.8.

The above modification suggestions can reduce the dependency conflicts as much as possible,
and introduce the latest version as much as possible without calling Error in the projects.

The invocation of the current project includes all the following methods.

The calling methods from the amqp 
exceptions.NotFound
The calling methods from the oauth2 
oauth2.SignatureMethod_HMAC_SHA1.sign
oauth2.Request.from_token_and_callback
oauth2.SignatureMethod_HMAC_SHA1
oauth2.Token
oauth2.SignatureMethod_PLAINTEXT
oauth2.build_authenticate_header
oauth2.Server
oauth2.Request.from_request
oauth2.Server.verify_request
oauth2.Consumer
oauth2.generate_verifier
oauth2.Request
oauth2.Server.add_signature_method
oauth2.Request.from_consumer_and_token
oauth2.Error
The calling methods from the python-jose 
jose.jws.verify
jose.jws.get_unverified_claims
jose.jws.get_unverified_headers
The calling methods from the requests 
requests.post
The calling methods from the rfc3987 
rfc3987.parse

@developer
Could please help me check this issue?
May I pull a request to fix it?
Thank you very much.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@PyDeps