Transitive dependency (termcolor) does not have wheel #171

matthewdeanmartin · 2021-12-07T15:34:27Z

I'm working on getting security packages to have the option of installing with only wheels (it's more secure that way), ref. Jake which means the whole dependency graph needs to have wheels

yaspin's dependency on termcolor (which has no wheels and has no maintainer, so it is hard for me to get a wheel in termcolor)

I did create a fork, termcolor-whl so you could switch to that or venderize termcolor.

Without something like that, people who depend on yaspin would have to vendorize to get around the problem.

pavdmyt · 2021-12-10T14:33:45Z

Hi @matthewdeanmartin

Thanks for pointing this out and detailed description for potential security issues 👍
I'll probably vendor termcolor, as it was before this commit: d19bbe7

This solves security issue #171

pavdmyt · 2022-07-21T18:17:54Z

The fix will be included into the next release.

pavdmyt added the security label Dec 10, 2021

pavdmyt added a commit that referenced this issue Jul 21, 2022

deps: replace termcolor with termcolor-whl

b01adaa

This solves security issue #171

pavdmyt mentioned this issue Jul 21, 2022

deps: replace termcolor with termcolor-whl #207

Merged

pavdmyt closed this as completed in #207 Jul 21, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Transitive dependency (termcolor) does not have wheel #171

Transitive dependency (termcolor) does not have wheel #171

matthewdeanmartin commented Dec 7, 2021 •

edited

pavdmyt commented Dec 10, 2021

pavdmyt commented Jul 21, 2022

Transitive dependency (termcolor) does not have wheel #171

Transitive dependency (termcolor) does not have wheel #171

Comments

matthewdeanmartin commented Dec 7, 2021 • edited

pavdmyt commented Dec 10, 2021

pavdmyt commented Jul 21, 2022

matthewdeanmartin commented Dec 7, 2021 •

edited