-
Notifications
You must be signed in to change notification settings - Fork 175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ct 2106 update cryptography dependency #466
Ct 2106 update cryptography dependency #466
Conversation
Thanks for opening this PR @Surbias (and the last time this happened)! This got me thinking -- what if we just remove the upper bound altogether? Background contextAt a high-level, we've been discussing revising our approach to pinning dependencies. In the case of
I don't think we need to resolve the general discussion in order to take action on this specific case. Our three optionsSo we have three main options as it relates to
My opinionPersonally, I'd be supportive of us just removing the upper bound here. RationaleIf Alternatively, we can use I'd really prefer not to use I know there are ways we can do these types of bumps automatically, but the caps don't appear to be doing anything for us right now. |
I am inclined to agree with you @dbeatty10 as indeed the caps do not seem to be providing any benefit here. I am happy to remove the cap on this PR if that's alright? |
We're still debating our approach to upper bounds, and we're not yet ready to just remove it entirely for In the meantime, if you update the upper bound to |
@dbeatty10 sounds good to me! 😄 I have now updated the PR to update |
@dbeatty10 <40.0.0 should be good for a bit! Nice meeting you today. |
Yes, it was great meeting you yesterday @fadi-circleci ! Thanks for weighing in on this. |
synk scans were also blocking us! Came over to submit a PR :) |
Thanks for the PR @Surbias! |
We're seeing these vulnerabilities as well. When do you think the next dbt-snowflake release will be that incorporates this change? |
resolves #465
Description
This PR updates cryptography dependency to be <=39.0.1.
This is needed as there are some high-security vulnerabilities flagged, namely:
Checklist
changie new
to create a changelog entry