Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

move beaker to an optional/extras requirement under 'examples' #823

Merged
merged 1 commit into from
Jul 25, 2022

Conversation

biyeun
Copy link
Contributor

@biyeun biyeun commented Jul 25, 2022

There is a CVE out for beaker with no option to upgrade to a fixed version as the project appears largely unmaintained.

It appears that beaker is only used in the examples and is therefore not a necessary requirement to use oic. This change moves beaker to extras_requires in setup.py under examples, so that this package is not unnecessarily installed as a required sub-dependency on projects listing oic as a dependency.

@schlenk
Copy link
Collaborator

schlenk commented Jul 25, 2022

The CVE is kind of bogus, as one can use a json_serializer to enforce json for storage instead of pickle, so it is not unmitigated.
But yes, beaker looks pretty unmaintained (bbangert/beaker#214 is the proper statement) and has other issues that could be seen as security hazards (e.g. contradictory documentation how to actually invalidate/delete a session after logout.).

But i agree that beaker is only needed for examples, so should not be needed for the base package.

@schlenk schlenk added enhancement security dependencies Pull requests that update a dependency file labels Jul 25, 2022
Copy link
Collaborator

@schlenk schlenk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Thanks for the PR.

@schlenk schlenk merged commit 8bc957c into CZ-NIC:master Jul 25, 2022
@biyeun biyeun deleted the bmb/remove-beaker-as-requirement branch July 26, 2022 10:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file enhancement security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants