Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vendoring starlette@0.33.0 #11956

Merged
merged 2 commits into from
Feb 9, 2024
Merged

Vendoring starlette@0.33.0 #11956

merged 2 commits into from
Feb 9, 2024

Conversation

chrisguidry
Copy link
Collaborator

A recent security vulnerability was identified in starlette versions below
0.36.2
. We can't upgrade
our version of starlette at the current time, because it's not compatible with
our vendored version of fastapi. However, the change in starlette is simply
to set a lower-bound on python-multipart, so that's included here as well.

However, I'm still vendoring starlette because our upper bound pin is
preventing other users from upgrading their dependencies.

Once our deprecation period for pydantic<2 has passed, we can drop both
vendored libraries and go back to the public versions.

Note that I'm removing black from our pre-commit config, because we are using
ruff exclusively. black had some trouble with formatting these files from
starlette, which made me realize it shouldn't be in play anymore.

Fixes #11719

A recent security vulnerability was identified in [`starlette` versions below
0.36.2](GHSA-93gm-qmq6-w238).  We can't upgrade
our version of `starlette` at the current time, because it's not compatible with
our vendored version of `fastapi`.  However, the change in starlette is simply
to set a lower-bound on `python-multipart`, so that's included here as well.

However, I'm still vendoring `starlette` because our upper bound pin is
preventing other users from upgrading their dependencies.

Once our deprecation period for `pydantic<2` has passed, we can drop both
vendored libraries and go back to the public versions.

Note that I'm removing `black` from our pre-commit config, because we are using
`ruff` exclusively.  `black` had some trouble with formatting these files from
`starlette`, which made me realize it shouldn't be in play anymore.

Fixes #11719
@chrisguidry chrisguidry requested review from zangell44 and a team as code owners February 9, 2024 19:40
Copy link

netlify bot commented Feb 9, 2024

Deploy Preview for prefect-docs-preview ready!

Name Link
🔨 Latest commit 6ed65cd
🔍 Latest deploy log https://app.netlify.com/sites/prefect-docs-preview/deploys/65c6817acbe82e0008f991e9
😎 Deploy Preview https://deploy-preview-11956--prefect-docs-preview.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@jakekaplan
Copy link
Contributor

jakekaplan commented Feb 9, 2024

Do all the internal references need to change to avoid things like:

  File "/home/runner/work/prefect/prefect/src/prefect/_vendor/starlette/datastructures.py", line 5, in <module>
    from starlette.concurrency import run_in_threadpool

or we just need to change how we install it

@chrisguidry
Copy link
Collaborator Author

Sorry, I did a last minute tweak to the vendoring script and mistakenly botched the import fixes :D Just pushed a fixed version up

Comment on lines 5 to 7
- id: ruff
language_version: python3
args: [--fix, --exit-non-zero-on-fix, --show-fixes]
Copy link
Collaborator

@zzstoatzz zzstoatzz Feb 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ruff format is pretty great imo if we're nixing black

Suggested change
- id: ruff
language_version: python3
args: [--fix, --exit-non-zero-on-fix, --show-fixes]
- id: ruff-format
- id: ruff
language_version: python3
args: [--fix, --exit-non-zero-on-fix, --show-fixes]

@serinamarie serinamarie added the fix A fix for a bug in an existing feature label Feb 9, 2024
@chrisguidry chrisguidry merged commit 644b71b into main Feb 9, 2024
45 checks passed
@chrisguidry chrisguidry deleted the vendor-starlette branch February 9, 2024 21:00
@zzstoatzz zzstoatzz mentioned this pull request Feb 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
fix A fix for a bug in an existing feature
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CVE in starlette==0.32.0, which is pinned due to vendored FastAPI
4 participants