-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please update pinned versions #5943
Comments
Hi @edrozenberg, Thanks for your comment. We will continue to be conservative with version ranges and won't be removing the ceiling by default. This is to be sure that we maintain backwards compatibility as much as possible, and we have the chance to review any interface changes to the dependencies. However, we can improve the process for raising the ceiling when new versions become available. It would be a nice feature to get notified on new dependency versions and automatically run interface testing on them so that we can respond to these changes more quickly. For the time being, if you have specific packages that you feel that need to be bumped up, please file an issue for them and describe the conflicts that you're getting with them. |
@kdaily thanks, maybe the common usage is to dedicate a machine or VM to be the "aws cli" machine, because the pinned versions of the aws cli reqs can prevent running other packages that require newer versions on the same machine. |
I would really appreciate, if you could update |
👍 for me on this issue... right now I can't install the latest
|
@dconathan |
@kdaily I'm one of the maintainers of pyca/cryptography and we're interested in seeing what can be done to get the version cap bumped here. Since our first release with Rust we've made a number of improvements that should help users out: We ship wheels on more platforms (notably musllinux, arm64+universal2 for macOS), lowered our MSRV, and improved the output when compilation fails. Hopefully all of this makes it more tractable to increase the version cap. Thanks! |
Thanks for checking in @alex! We had originally paused this waiting for the Rust migration to play out and I think it slipped off the radar. I'll bring this up with the team and see if we can start getting this prioritized. |
Awesome! If there's more we can be doing, let us know |
Any chance also updating the docutils dependency? Docutils versions supported by awscli no longer build with setuptools 60. |
Providing a quick update on cryptography. #6636 is currently blocked on dropping manylinux1 support. Once that's done we'll be able to update. |
Is there a seperate place to track the manylinux1 effort? |
Can |
@alex I opened an issue to track dropping manylinux1 support: #6742. We also merged the PR from @nateprewitt: #6636 to loosen the version range of In addition to dropping support for manylinux1, I'd like to see us launch official support for installing the AWS CLI v2 from source: #6352. This will allow more granular control over which versions of a dependency are used for your v2 installation and also provide some path forward to using v2 even if the official pre-built installers do not support your environment (whether the installer dropped support for the environment or never supported it in the first place). |
I concur with this issue. Some dependencies are becoming so outdated that they are beginning to interfere with other packages which require newer versions. See below to see how behind the dependencies are from the current release of awscli. Why is it that when a new version of awscli is released, it's not tested against the latest versions of its dependencies? Please keep up to date on dependencies. awscli 1.22.92 released on 20220408 outdated deps: colorama 0.4.3 released on 20191206 docutils 0.15.2 released on 20190730 PyYAML 5.4 released on 20210119 rsa 4.7.2 released on 20210224 |
From #5943 (comment),
I noticed dependabot is configured for a few dependencies in aws-cli-v2: https://github.com/aws/aws-cli/blob/develop/.github/dependabot.yml. How about extending it for more dependencies? |
Could awscrt be updated as well? Currently aws-cli v2 requires [1] See: https://bugs.archlinux.org/task/76618 [1] https://github.com/aws/aws-cli/blob/2.9.0/pyproject.toml#L37 |
The cryptography package is pinned at 38.0.1 but I'm seeing a security advisory recommending to update to 38.0.3 or later. {
"Target": "Python",
"Class": "lang-pkgs",
"Type": "python-pkg",
"Vulnerabilities": [{
"VulnerabilityID": "GHSA-39hc-v87j-747x",
"PkgName": "cryptography",
"PkgPath": "usr/local/aws-cli/v2/2.9.6/dist/cryptography-38.0.1.dist-info/METADATA",
"InstalledVersion": "38.0.1",
"FixedVersion": "38.0.3",
"Layer": {
"DiffID": "sha256:433fd60ff46245940844818b911c7b163bb4991020d438661d3ad7281eecdc56"
},
"SeveritySource": "ghsa",
"PrimaryURL": "https://github.com/advisories/GHSA-39hc-v87j-747x",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Title": "Vulnerable OpenSSL included in cryptography wheels",
"Description": "pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 37.0.0-38.0.3 are vulnerable to a number of security issues. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221101.txt.\n\nIf you are building cryptography source (\"sdist\") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.",
"Severity": "MEDIUM",
"References": [
"https://github.com/advisories/GHSA-39hc-v87j-747x",
"https://github.com/pyca/cryptography/commit/382e759bcded5773330eeed748c86b213ec618c5",
"https://github.com/pyca/cryptography/commit/cf2ada625d1188d6cd46396f301b98095da577f7",
"https://github.com/pyca/cryptography/security/advisories/GHSA-39hc-v87j-747x"
]
}]
} |
Looks like they have an open PR. Over a year since it was opened. Hopefully it will be merged soon. |
Any update on when the update to PyYAML is going to go through? This is actively blocking updates to Python 3.11. |
When can this get updated? |
Any update? |
The latest version seems to fix this issue: https://github.com/aws/aws-cli/blob/develop/CHANGELOG.rst |
Can |
A few weeks ago I submitted a pull request to upgrade ruamel-yaml: #8072. Can someone review it? |
Any update on this? |
Now pyyaml support 6.0 in #8037 |
Thanks for the dependabot integration. I noticed that tests in some dependabot pull requests fail with |
Would also be nice for awscliv2 to update urllib to v2 |
botocore bundled in aws-cli-v2 does not support urllib3 2.x yet. At least the following changes should be backported: boto/botocore#2922 Several other changes from botocore are also needed (ex: #8342 (comment)). It takes me too much time to manually backport those changes. Hopefully the bundled botocore can catch up upstream botocore in a more manageable way. For example, with a script and/or a CI bot. PS. support for urllib3 was once discussed in #8011 as well |
thanks @yan12125. agree that this is the way to go with packaged botocore. |
AWS CLI is unique on my system in pinning many things to specific versions, and pinning them to versions that are very old and no longer in common usage by "most people". I tested just now with the latest aws cli versions available.
And in particular from a security standpoint, pinning versions for security packages like
cryptography
andrsa
opens security holes if they cannot be upgraded to always be current.Would be great to see AWS CLI remove the pins because they create ongoing, irresolvable conflicts.
awscli==2.1.26
awscli==1.19.7
The text was updated successfully, but these errors were encountered: