-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump cryptography from 39.0.1 to 41.0.0 #3057
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't care about the vulnerability itself since it's a dev dependency but upgrading does not hurt I guess?
@pquentin Looks like pypy3.7 isn't happy with this version of cryptography? https://github.com/urllib3/urllib3/actions/runs/5159370400/jobs/9294210564?pr=3057 |
src/urllib3/util/ssl_.py
Outdated
try: | ||
context.hostname_checks_common_name = False | ||
except AttributeError: | ||
pass | ||
context.hostname_checks_common_name = False |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think about removing this check only when support for all 3.7 implementations is dropped?
Since we still define support for PyPy and Python 3.7 in the package config, the current version of urllib3 can be installed by package managers justly, and affected users will get an unclear AttributeError
and come with new issues about incompatibilities… 🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree we should keep this except AttributeError
even if its defensive.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the late reply. I agree too, I was initially in "drop unsupported Pypy versions" mode but it's better to be tied to Python versions. Done in 24d59b9
(#3057)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pquentin thanks for the change!
There seems to be a PyPy 7.3.8 release for Python 3.7 where setting hostname_checks_common_name
does not work, so _is_bpo_43522_fixed
has to return False
for it
➜ ~ podman run --rm -it pypy:3.7-7.3.8
[...]
Python 3.7.12 (c8af402943f0c6c9155c76a45e3b64103783aacf, Feb 18 2022, 12:25:20)
[PyPy 7.3.8 with GCC 10.2.1 20210130 (Red Hat 10.2.1-11)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>> import ssl
>>>> ssl.SSLContext().hostname_checks_common_name = False
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
AttributeError: can't set attribute
Maybe we should keep pypy-3.7
tests for a while installing older cryptography to catch such things?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah this seems like a prickly matrix of feature support we would want to ensure keeps working. Can't wait to be able to remove all of these conditionals... 😅
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think about removing this check only when support for all 3.7 implementations is dropped?
Yeah that sounds like the easiest way, I can wait a few weeks.
@dependabot recreate Just to be able to merge the cryptography upgrade cleanly, I extracted everything else to #3087 |
Bumps [cryptography](https://github.com/pyca/cryptography) from 39.0.1 to 41.0.0. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@39.0.1...41.0.0) --- updated-dependencies: - dependency-name: cryptography dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
5a57c68
to
2a4b4d7
Compare
A newer version of cryptography exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged. |
Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry! If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request |
Bumps cryptography from 39.0.1 to 41.0.0.
Changelog
Sourced from cryptography's changelog.
... (truncated)
Commits
c4d494f
41.0.0 version bump (#8991)8708245
new openssl day (#8990)31436a4
admit to the existence of nuance in HKDF (#8987)91e4189
Port DSA to Rust (#8978)f302d28
Update CI for new LibreSSL releases (#8975)851d8cc
Bump openssl from 0.10.52 to 0.10.53 in /src/rust (#8986)0918c72
Bump coverage from 7.2.6 to 7.2.7 (#8985)730a5ce
Bump openssl-sys from 0.9.87 to 0.9.88 in /src/rust (#8984)88e8c28
Bump BoringSSL and/or OpenSSL in CI (#8983)3e24e44
Bump once_cell from 1.17.1 to 1.17.2 in /src/rust (#8982)You can trigger a rebase of this PR by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.