Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps: update to use pyyaml 6 #340

Closed
wants to merge 1 commit into from
Closed

deps: update to use pyyaml 6 #340

wants to merge 1 commit into from

Conversation

chenrui333
Copy link

@chenrui333 chenrui333 commented Jul 19, 2023
edited

@kurtmckee
Copy link
Contributor

PyYAML 6 dropped support for Python 2.7, which dotbot still supports.

@anishathalye
Copy link
Owner

This might be the reason to drop support for Python 2.7, when our dependencies no longer support it (and upgrading dependencies is the easiest solution to problems like that posted in the OP).

@johnlettman
Copy link

I advocate for discontinuing support for Python 2.7 due to several reasons:

  1. End-of-Life Status: Python 2.7 has been beyond its end-of-life for about three years now, following its last extension after the official sunsetting. Consequently, Python 2 is no longer available for download on the Python website.
  2. Trend in Python Projects: Numerous prominent frameworks, projects, and packages, such as OpenStack, have already transitioned to Python 3, leaving Python 2 behind.
  3. Improved Features: Python 3 offers several enhancements that can significantly enhance development. Notably, the typing features have proven valuable in my personal experience.

and, of course

  1. Security: Dotbot, its plugins, and the users can benefit from the usage
    of supported Python interpreters and latest dependency updates through the
    switch. It can resolve the following CVE:

    Improper Input Validation in PyYAML / CVE-2020-14343 / GHSA-8q59-q68h-6hv4 / A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.

@johnlettman
Copy link

I reckon the README already suggests no Python 2:

dotbot/README.md

Lines 70 to 71 in 712b30a

`install.ps1` script instead of `install`. On Windows, Dotbot only supports
Python 3.8+, and it requires that your account is [allowed to create symbolic

Anyways, I would be happy to help out with it too.

@rht
Copy link

rht commented Aug 18, 2023

I am not able to install docbot properly via pip on Python 3.11. The reasons is the <6 pyyaml version constraint. pyyaml supported Python 3.11 only recently: yaml/pyyaml@957ae4d. You have to choose to support either of 3.11 or 2.7. I'd vote for supporting 3.11 and dropping EOL 2.7.

@chenrui333
Copy link
Author

PyYAML 6 dropped support for Python 2.7, which dotbot still supports.

python 2.7 has been EOL for quite some time, and macOS has not shipped it by default either, also all package managers stop shipping packages using py2, so it would be good to just drop it and then prep for the upcoming py3.12 release :) just my two cents.

@anishathalye
Copy link
Owner

I'm on board with this plan to drop Py2 support; will process these recent PRs when I get some free time.

@anishathalye anishathalye mentioned this pull request Sep 4, 2023
Closed
anishathalye added a commit that referenced this pull request Sep 10, 2023
@anishathalye
Upgrade PyYAML to 6.0.1
50457b0 
This was causing install issues with newer versions of Python /
setuptools; see yaml/pyyaml#723.

Thanks to Rui Chen <rui@chenrui.dev> for reporting this issue in
#340.
anishathalye added a commit that referenced this pull request Sep 10, 2023
@anishathalye
Upgrade PyYAML to 6.0.1
b732baf 
This was causing install issues with newer versions of Python /
setuptools; see yaml/pyyaml#723.

Thanks to Rui Chen <rui@chenrui.dev> for reporting this issue in
#340.
@anishathalye
Copy link
Owner

Thank you for the PR. I didn't just want to remove the version specification altogether; alternative change in b732baf (you're credited in there).

Thanks all for your patience. This is included in Dotbot 1.20.0 and released on PyPI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@chenrui333 @kurtmckee @anishathalye @johnlettman @rht