Make gitpython dependency optional?

[bollwyvl]

#204's adding the hard dep on gitpython lights up vulnerability scanners for CVE-2022-24439. Here's the upstream issue:

• CVE-2022-24439: <gitpython::clone> 'ext::sh -c touch% /tmp/pwned' for remote code execution gitpython-developers/GitPython#1515

As there's no particular timeline for a fix, perhaps the gitpython dependency could be made optional, as with pip for the non-vendored bits of poetry?

[bollwyvl]

Strawman PR up in #297.

[bollwyvl]

Thanks!

[bollwyvl]

CVE-2024-22190 is up. can we reconsider the hard dep, and make it an extra?

[maresb]

Ugh, yes, given the history I think making it an extra makes a lot of sense.

[bollwyvl]

As mentioned before: as of now, conda install conda-lock pulls in 85 transient deps. I'd really like to see a conda-lock-explicit, which:

• pulled in as few dependencies as possible
• exposed only a bare-bones argparse CLI, if any
• read (multiple) environment.yml files
• generated @EXPLICIT files
  • without clever magic comments
  • portable to all conda-compatible clients, constructor, SBOM tools, etc.

Pretty much everything else could be an entry_point-driven plugin.

[maresb]

@bollwyvl, Seems like a bit of a project, but I'd totally support that. I think it'd help a lot with code quality too. I don't really have any time to push it forward right now though.

@mariusvniekerk, what do you think?