fix: upgrade protobuf dependency chain#683
Open
mobasi-team wants to merge 3 commits intoabrignoni:mainfrom
Open
fix: upgrade protobuf dependency chain#683mobasi-team wants to merge 3 commits intoabrignoni:mainfrom
mobasi-team wants to merge 3 commits intoabrignoni:mainfrom
Conversation
Contributor
Author
|
@stark4n6 what is needed to get this merged? We would love to patch up this last supply chain vuln given the axios + litellm stuff last few weeks |
Collaborator
|
@mobasi-team I'm assuming if removing blackboxprotobuf from the requirements.txt we would need to update every single parser that uses that library? |
Contributor
Author
|
BBPB is the maintained version of blackboxprotobuf |
Collaborator
|
@mobasi-team understood, but there is a lot of other work that will need to occur to update parsers to work with this (per @Johann-PLW). we are conferring on the best route forward |
Contributor
Author
|
@Johann-PLW @stark4n6 we took a first pass at the compatibility fixes. see the changes in most recent commit. Let us know what changes need to be made |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
3.10.0to5.29.6blackboxprotobufdependency with maintained upstream packagebbpb==1.4.2, which still exposesimport blackboxprotobuf*_pb2.pymodules keep importing under the secure dependency setWhy
The repo was pulling in
protobuf==3.10.0, which triggered high-severity advisories. A direct protobuf bump was blocked because the oldblackboxprotobufpackage hard-pinnedprotobuf==3.10.0.Root Cause
requirements.txtpinned a vulnerable protobuf versionblackboxprotobufpackage on PyPI was abandoned and locked to that vulnerable protobuf releaseValidation
python -m unittest admin.test.scripts.test_runtime_requirements.TestRuntimeRequirements.test_scripts_package_sets_protobuf_runtime_modepython -m unittest discover -s admin/test/scripts -p 'test_*.py'in fresh Python 3.11 environmentpython -m unittest discover -s admin/test/scripts -p 'test_*.py'in fresh Python 3.10 environmentImpact
blackboxprotobufimports in artifact modules