Skip to content

Drop unused pyopenssl & cryptography dependencies #434

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
PeterJCLaw opened this issue Jun 5, 2024 · 5 comments
Closed

Drop unused pyopenssl & cryptography dependencies #434

PeterJCLaw opened this issue Jun 5, 2024 · 5 comments
Assignees
@Mat001
Labels
Acknowledged

Comments

@PeterJCLaw
Copy link

Thanks for providing this package. It looks like this package pins (ranged) versions for cryptography and pyopenssl, yet doesn't actually use those packages (directly or transitively). This creates unnecessary dependency locks for consumers of this package as they're forced to install those packages even if nothing else is using them.

In turn, this means that consumers of this package may be exposed to security vulnerabilities in those packages due to their inclusion in this package.

If these packages are truly unused (I wasn't able to find a reference to them in the source of this project, nor are they mentioned by any of the other packages this one depends upon), please could they be removed from the package dependencies and an updated package be published?
@PeterJCLaw
Copy link
Author

@Mat001 maybe (as you seem to be a recent contributor) is there anything I can do to help progress this? I'd be happy to put together a PR, though that feels like the easy part here -- I'm not sure what testing you'd want to do to validate the change nor if there's other concerns which lead to these packages being included (I couldn't find much in the git history).

@Tamara-Barum
Copy link

Tamara-Barum commented Jun 17, 2024
edited
Loading

@PeterJCLaw Thanks for the call out- I have our Py eng taking a deeper look. we are opening an internal ticket and will prioritize and share updates here. Internal Ticket: FSSDK-10317

@Mat001 Mat001 self-assigned this Jun 24, 2024
@Mat001 Mat001 mentioned this issue Jun 25, 2024
Merged
@Mat001
Copy link
Contributor

Mat001 commented Jun 25, 2024
edited
Loading

@PeterJCLaw Yeah, thx for reaching out.
I have a PR out, you can see it.
I think your point is valid. Do you remember or have been familiar with requests[security] extras from requests library?
We used to use then prior to 2020. It included PyOpenSSL, cryptograph. But then Python stdlib started to natively support SSL/TLS (especially in older Py versions).
So we removed requests[security] and basically replaced it / broke it down into what it contained.
But I missed that PyOpenSSL and cryptography were no longer required.

Test have passed. PR is in review.
I think we'll make a patch release.

@Mat001
Copy link
Contributor

Mat001 commented Jun 26, 2024
edited
Loading

@PeterJCLaw We've pushed out a patch release with your suggestion: https://github.com/optimizely/python-sdk/releases/tag/5.0.1
That is for the latest version of python-sdk 5.0.1. You will of course need to upgrade / use this version to get this change.
Hope that resolves it!
Thx for pointing this out and let us know if you spot anything else.
Cheers

@Mat001
Copy link
Contributor

Mat001 commented Jun 26, 2024

Closing.

@Mat001 Mat001 closed this as completed Jun 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Mat001 Mat001

Labels
Acknowledged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@PeterJCLaw @Mat001 @Tamara-Barum