fix: bump requests-cache to ^0.9 to mitigate a Arbitrary Code Execution issue in version 0.5.2

[wookiesh]

see https://security.snyk.io/vuln/SNYK-PYTHON-REQUESTSCACHE-1089050

tests were run before and after installation to compare, and the result were similar:
17 failed, 92 passed, 3 skipped, 196 warnings, 49 errors

Most of the issues in the test suite were related to:
Failed: Integration test currently only works with a spreadbet account

[bug-or-feature]

@wookiesh thanks for your interest in the project

I'm curious why you have chosen version ^0.9 when 1.2.0 is available? And why the whitespace edits to other unrelated lines in project.toml?

[wookiesh]

Hello Andy, Thanks for the project, happily using it. Regarding the version, that was just not to change the major version as it may introduce breaking changes. For the other edits, it’s vscode that reformatted the code and it seemed to fit the rest of the file so I let them in. Of course I could remove them from the PR if you prefer ?

…

On 6 May 2024, at 16:45, Andy Geach ***@***.***> wrote: @wookiesh <https://github.com/wookiesh> thanks for your interest in the project I'm curious why you have chosen version ^0.9 when 1.2.0 is available? And why the whitespace edits to other unrelated lines in project.toml? — Reply to this email directly, view it on GitHub <#331 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAECSIYMXFC22NKVSCOAEFDZA6JSPAVCNFSM6AAAAABHH3PRB6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJWGIYDSNJXGU>. You are receiving this because you were mentioned.

[bug-or-feature]

Hello Andy, Thanks for the project, happily using it. Regarding the version, that was just not to change the major version as it may introduce breaking changes. For the other edits, it’s vscode that reformatted the code and it seemed to fit the rest of the file so I let them in. Of course I could remove them from the PR if you prefer ?

Fair enough re the version. I realise that requests-cache should be an optional dependency like pandas, tenacity. I'll consider that option for a future release. Do you actually use the cache feature? If so, would you mind adding a comment to #317? I'd like to understand how (and why) people are using it.

Yes please revert the whitespace changes. I'll make the formatting more consistent in another commit

[wookiesh]

Sure, I’ll comment, and indeed that would be great to add it as optional dependency :) Btw, while I was fixing my PR, Snyk notified me of two other dependency issues: Improper Input Validation affecting package aiohttp. Upgrade to ***@***.*** Open SourceSNYK-PYTHON-AIOHTTP-6091621 <https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6091621> Improper Input Validation affecting package aiohttp. Upgrade to ***@***.*** Open SourceSNYK-PYTHON-AIOHTTP-6091622 <https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6091622> Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') affecting package aiohttp. Upgrade to ***@***.*** Open SourceSNYK-PYTHON-AIOHTTP-6209406 <https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6209406> HTTP Request Smuggling affecting package aiohttp. Upgrade to ***@***.*** Open SourceSNYK-PYTHON-AIOHTTP-6209407 <https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6209407> Cross-site Scripting (XSS) affecting package aiohttp. Upgrade to ***@***.*** Open SourceSNYK-PYTHON-AIOHTTP-6645291 <https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6645291> Infinite loop affecting package aiohttp. Upgrade to ***@***.*** Open SourceSNYK-PYTHON-AIOHTTP-6808823 <https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6808823> SNYK-PYTHON-AIOHTTP-6091621: Improper Input Validation affecting aiohttp package Vulnerability | CVE-2023-49082 <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html> | CWE-20 <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html> | SNYK-PYTHON-AIOHTTP-6091621 <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html> Fixed in: @3.9.0 | Exploit maturity: MEDIUM Overview Affected versions of this package are vulnerable to Improper Input Validation via the ClientSession method. An attacker can modify the HTTP request or create a new HTTP request if they control the HTTP method. And NULL Pointer Dereference affecting package numpy. Upgrade to ***@***.*** Open SourceSNYK-PYTHON-NUMPY-2321964 <https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321964> Buffer Overflow affecting package numpy. Upgrade to ***@***.*** Open SourceSNYK-PYTHON-NUMPY-2321966 <https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321966> Denial of Service (DoS) affecting package numpy. Upgrade to ***@***.*** Open SourceSNYK-PYTHON-NUMPY-2321970 <https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321970> SNYK-PYTHON-NUMPY-2321964: NULL Pointer Dereference affecting numpy package Vulnerability | CVE-2021-41495 <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html> | CWE-476 <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html> | SNYK-PYTHON-NUMPY-2321964 <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html> Fixed in: @1.22.2 | Exploit maturity: LOW Overview numpy <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html> is a fundamental package needed for scientific computing with Python. Affected versions of this package are vulnerable to NULL Pointer Dereference due to missing return-value validation in the PyArray_DescrNew function, which may allow attackers to conduct Denial of Service attacks by repetitively creating and sort arrays. Note: This may likely only happen if application memory is already exhausted, as it requires the newdescr object of the PyArray_DescrNew to evaluate to NULL. Remediation Upgrade numpy to version 1.22.2 or higher. (Pandas)

…

On 7 May 2024, at 11:17, Andy Geach ***@***.***> wrote: Hello Andy, Thanks for the project, happily using it. Regarding the version, that was just not to change the major version as it may introduce breaking changes. For the other edits, it’s vscode that reformatted the code and it seemed to fit the rest of the file so I let them in. Of course I could remove them from the PR if you prefer ? Fair enough re the version. I realise that requests-cache should be an optional dependency like pandas, tenacity. I'll consider that option for a future release. Do you actually use the cache feature? If so, would you mind adding a comment to #317 <#317>? I'd like to understand how (and why) people are using it. Yes please revert the whitespace changes. I'll make the formatting more consistent in another commit — Reply to this email directly, view it on GitHub <#331 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAECSI5GA747IPMGZ5CPRETZBCL3VAVCNFSM6AAAAABHH3PRB6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJXHAZTGMJUGM>. You are receiving this because you were mentioned.

[bug-or-feature]

@wookiesh aiohttp is a transitive dependency on the lightstreamer client, so out of our hands. And the numpy dependency from pandas, which is optional and so up to the end user

[bug-or-feature]

If you want this to be merged, please fix the whitespace changes

[wookiesh]

sorry, done

[bug-or-feature]

There's some kind of build issue with Python 3.10 and pandas: https://github.com/ig-python/trading-ig/actions/runs/10399815604/job/28807850525

I don't have time to look into it currently

[wookiesh]

Hi, did you manage to find some time to have a look ?