Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade V1 Python microservice Cryptography Package #5471

Open
mwm5945 opened this issue Mar 22, 2024 · 3 comments
Open

Upgrade V1 Python microservice Cryptography Package #5471

mwm5945 opened this issue Mar 22, 2024 · 3 comments
Labels

Comments

@mwm5945
Copy link
Contributor

mwm5945 commented Mar 22, 2024

The crpytography package has released a new major version, which includes vulnerability fixes. Consumers of the microservice are unable to upgrade their own dependencies as it conflicts with the version Seldon allows.

Describe the bug

This line restricts the version of cryptography that can be installed:

"cryptography >= 39.0.1, < 41.1",

To reproduce

Attempt to install seldon-core with cryptography==42.x.x, i.e.

❯ cat requirements.txt
seldon-core==1.18.1
cryptography==42.0.5
❯ pip install -r requirements.txt
... <omitted package collection for brevity> 
INFO: pip is looking at multiple versions of seldon-core to determine which version is compatible with other requirements. This could take a while.
ERROR: Cannot install -r requirements.txt (line 1) and cryptography==42.0.5 because these package versions have conflicting dependencies.

The conflict is caused by:
    The user requested cryptography==42.0.5
    seldon-core 1.18.1 depends on cryptography<41.1 and >=39.0.1

To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip attempt to solve the dependency conflict

ERROR: ResolutionImpossible: for help visit https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-dependency-conflicts

Expected behaviour

Latest patched version of cryptography package can be used.

@mwm5945 mwm5945 added the bug label Mar 22, 2024
@mg515
Copy link

mg515 commented Jun 11, 2024

Any update on this @mwm5945 ?

@mwm5945
Copy link
Contributor Author

mwm5945 commented Jun 11, 2024 via email

@mg515
Copy link

mg515 commented Jun 12, 2024

Since there are security concerns with cryptography<42.0.0, I think we should go for the update within Seldon V1. Do we know why the hard pin is there in the first place? Breaking changes?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants