Relax pycryptodome requirements #13

cveilleux · 2018-04-24T19:52:37Z

setup.py currently requires:

pycryptodome==3.4.7

see: https://github.com/ahknight/httpsig/blob/master/setup.py#L40

install_requires should not be used to pin dependencies to exact version. See: https://packaging.python.org/discussions/install-requires-vs-requirements/

It is not considered best practice to use install_requires to pin dependencies to specific versions, or to specify sub-dependencies (i.e. dependencies of your dependencies). This is overly-restrictive, and prevents the user from gaining the benefit of dependency upgrades.

Unless there is a good reason which I am not aware of, something like:

install_requires=['pycryptodome>=3,<4', 'six']

should accept any pycryptodome version 3.x.x

The text was updated successfully, but these errors were encountered:

…ight#13

ericbuckley · 2018-08-29T01:46:50Z

Is there any reason PR #14 can't be merged? Version pycryptodome==3.4.7 has a known vulnerability. https://nvd.nist.gov/vuln/detail/CVE-2018-15560

smcoll · 2018-10-15T20:11:48Z

@ahknight this would resolve a security vulnerability for any project requiring this package: see Legrandin/pycryptodome#198

cveilleux added a commit to cveilleux/httpsig that referenced this issue Apr 24, 2018

Relax pycryptodome requirement: Accept any 3.x.x version. Closes ahkn…

685ecde

…ight#13

cveilleux mentioned this issue Apr 24, 2018

Relax pycryptodome requirement: Accept any 3.x.x version. #14

Merged

ahknight closed this as completed in #14 Nov 27, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Relax pycryptodome requirements #13

Relax pycryptodome requirements #13

cveilleux commented Apr 24, 2018

ericbuckley commented Aug 29, 2018

smcoll commented Oct 15, 2018

Relax pycryptodome requirements #13

Relax pycryptodome requirements #13

Comments

cveilleux commented Apr 24, 2018

ericbuckley commented Aug 29, 2018

smcoll commented Oct 15, 2018