Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] Lift version limitation for the PyJWT #8876

Closed
1 task done
ezaiakinsc opened this issue Apr 26, 2021 · 7 comments · Fixed by #8952
Closed
1 task done

[feature] Lift version limitation for the PyJWT #8876

ezaiakinsc opened this issue Apr 26, 2021 · 7 comments · Fixed by #8952
Assignees
@uilianries
Milestone
2.0.0-alpha6

Comments

@ezaiakinsc
Copy link

Currently Conan has version limitation for PyJWT like this:
PyJWT>=1.4.0, <2.0.0

Popular frameworks, like PyGithub, are gradually lifting minimal PyJWT version to the 2.0+, and it becomes problematic to use conan together with the rest of the scripting. Situation is temporary resolvable using virtuenv, but python version switching is yet another dimension for human mistakes, especially for non-experts in python.

It would be way easier if conan can be installed together with mainstream packages in a typical environment. Can PyJWT version limit be lifted to the 2.0+?
@memsharded
Copy link
Member

memsharded commented Apr 26, 2021
edited
Loading

Well, it is a major version, so probably requires a bit extra of testing to make sure nothing is broken, not just lifting the version requirements, but might require changes in code (and then the opposite might happen, users stuck with older PyJWT might have incompatibilities).

For example, they are dropping support for Python2 (which we still maintain for Conan 1.X so far), of the transitive cryptography >= 3, might be an issue.

Lets check it.

@memsharded memsharded added this to the 1.37 milestone Apr 26, 2021
bjornfor added a commit to bjornfor/nixpkgs that referenced this issue May 5, 2021
@bjornfor
conan: unbreak by downgrading pyjwt
d869af8 
Pin pyjwt to 1.7.1 (the last of the 1.x series) to fix building conan:

  ERROR: Could not find a version that satisfies the requirement PyJWT<2.0.0,>=1.4.0 (from conan)

Ref. upstream issue conan-io/conan#8876.
@bjornfor bjornfor mentioned this issue May 5, 2021
Merged
10 tasks
dotlambda pushed a commit to NixOS/nixpkgs that referenced this issue May 5, 2021
@bjornfor
conan: unbreak by downgrading pyjwt (#121802)
9ba09d8 
Pin pyjwt to 1.7.1 (the last of the 1.x series) to fix building conan:

  ERROR: Could not find a version that satisfies the requirement PyJWT<2.0.0,>=1.4.0 (from conan)

Ref. upstream issue conan-io/conan#8876.
@uilianries uilianries mentioned this issue May 12, 2021
Merged
5 tasks
@memsharded memsharded modified the milestones: 1.37, 1.38 May 30, 2021
@memsharded
Copy link
Member

Please read my comments in #8952 (review):

  • I think this will break other users
  • There is no perfect solution to this issue
  • As this is only in the conan_server code, forcing the version in client only users will not break the client, and the issue can be workarounded with virtualenvs

So lets move it to Conan 2.0, where we will decouple the conan_server PyPI package if possible.

@memsharded memsharded modified the milestones: 1.38, 2.0 Jun 18, 2021
@memsharded memsharded modified the milestones: 2.0, 2.0.0-alpha6 Mar 9, 2022
@memsharded
Copy link
Member

Closed in #8952, will be in the next 2.0-alpha.6

@bjornfor
Copy link

FYI, there's a CVE for PyJWT which now affects the latest released conan.

@memsharded
Copy link
Member

Hi @bjornfor

Latest Conan already upgraded to PyJWT>=2.4.0, <3.0.0in #11350 and released in last Conan 1.49 (and in any case, this is a requirement for conan_server, it is not used at all in the Conan client, just in case there is a concern for previous versions. And even previous versions of the server were not exposed to the vulnerability, checked usage in code).

Thanks for reporting!

@bjornfor
Copy link

@memsharded: Thanks for the info! (Sorry, I just assumed it wasn't part of a release yet based on parent message.)

@memsharded
Copy link
Member

@memsharded: Thanks for the info! (Sorry, I just assumed it wasn't part of a release yet based on parent message.)

Yeah, probably this issue should have been updated too, but sometimes it is difficult, the activity in the repo is very high. Thanks for telling, it is always better to be sure!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@uilianries uilianries

Labels
None yet
Projects
None yet
Milestone
2.0.0-alpha6
Development

Successfully merging a pull request may close this issue.

Add support for PyJWT 2.0 uilianries/conan
4 participants
@bjornfor @uilianries @memsharded @ezaiakinsc