Thanks to visit codestin.com
Credit goes to github.com

Skip to content

cryptography python version restrictions (requires-python = ">=3.7,!=3.9.0,!=3.9.1") #12982

Description

@kukushking

cryptography is a transitive dependency of many tools, as it's direct dependency of poetry, moto, etc. Unfortunately cryptography versions >= 42.0.0, < 44.0.1 are vulnerable to CVE-2024-12797.

Python version restrictions introduced at #12045 now require to make cryptography an explicit dependency and basically match the cryptography's python version specification (ex. here), in order to use newer cryptography versions that are not affected by the vulnerability (44.0.1+).

This makes version specification unnecessarily complex in tools with wide Python version requirements. Feels like prohibiting python versions is a nuclear option. Is there any other way to consume non-vulnerable versions of cryptography that I might have missed?

Metadata

Metadata

Assignees

No one assigned

    Labels

    Stalewaiting-on-reporterIssue is waiting on a reply from the reporter. It will be automatically cloesd if there is no reply.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions