Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed dependency versions #85

Open
NF997 opened this issue Oct 16, 2019 · 4 comments · May be fixed by #88
Open

Fixed dependency versions #85

NF997 opened this issue Oct 16, 2019 · 4 comments · May be fixed by #88

Comments

@NF997
Copy link

NF997 commented Oct 16, 2019

Is there a particular reason that the dependency versions are fixed:

install_requires=[
        'click==4.0',
        'python-owasp-zap-v2.4==0.0.14',
        'requests==2.20.1',
        'tabulate==0.7.5',
        'termcolor==1.1.0',
        'six==1.10.0',
    ]

When using zap-cli together with other packages, it would be much more convenient to specify minimum versions like this:

install_requires=[
        'click>=4.0',
        'python-owasp-zap-v2.4>=0.0.14',
        'requests>=2.20.1',
        'tabulate>=0.7.5',
        'termcolor>=1.1.0',
        'six>=1.10.0',
    ]
@NF997 NF997 linked a pull request Oct 23, 2019 that will close this issue
@NF997
Copy link
Author

NF997 commented Oct 28, 2019

@Grunny Any thoughts about this?

@Grunny
Copy link
Owner

Grunny commented Oct 28, 2019

Hi @NF997! Sounds good. The only one I want o pin is python-owasp-zap-v2.4, since it has had backwards incompatible changes released before as it's not following semantic versioning, and I don't want things to suddenly break for people. So, I think in your PR, you can just pin that one to the latest, and we'll keep bumping it after testing for each release. What do you think?

@NF997
Copy link
Author

NF997 commented Oct 28, 2019

I updated the PR accordingly 👍

@tspearconquest
Copy link

Hi @NF997 could you possibly update this to use requests version 2.25.0 or higher? There is a new vulnerability found in urllib3 versions before v1.26.5. The requests module v2.25.0 is the earliest version with the dependency requirements that will allow urllib3 v1.26.5 to be installed and used with zap-cli.

I have also filed #104 to request the same update but if you can do that, then my issue filing can be closed when this is merged.

@Grunny please merge this. Thank you both.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants