Upgrade dependencies

[pantierra]

Hi there, many thanks for the library!

Are there any plans to upgrade dependencies to latest versions?

dependency	required version	available version
boto3	1.16.10	1.26.68
google-cloud-storage	1.14.0	2.7.0
grpcio-tools	1.33.0	1.51.1
protobuf	3.19.0	4.21.12

Because of the old dependencies one is stuck on Python 3.8 and it would be nice to be able to move to newer version.

Thank you

[pantierra]

It also depends on retry which depends on py that has a reported vulnerability:

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.The particular codepath in question is the regular expression at py._path.svnurl.InfoSvnCommand.lspattern and is only relevant when dealing with subversion (svn) projects. Notably the codepath is not used in the popular pytest project. The developers of the pytest package have released version 7.2.0 which removes their dependency on py. Users of pytest seeing alerts relating to this advisory may update to version 7.2.0 of pytest to resolve this issue. See pytest-dev/py#287 (comment) for additional context.

[bobleujr]

thank you for bringing this up @pantierra. I sync'd with the team and we will be pushing a new version of the client with upgraded deps in the coming weeks.

[sunny-g]

@pantierra thanks for this detailed report; I've just updated our client, removed retry, and published a new version (1.2.7) to PyPI.

We're also looking into the best ways to address the other out-of-date dependencies, and will reply here with updates as they come. Thanks again!

[pantierra]

Thanks for the update. At the moment the library uses these old dependencies:

dependency	required version	available version
grpcio-tools	1.33.0	1.62.0
protobuf	3.19.0	4.25.3
shapely	1.8.5.post1	2.0.3