Feature request: update/remove dependencies and consider more relaxed version pins #47
Description
Prerequisites
- I have searched the repository’s issues, Kinde community and public roadmap to ensure my feature request isn’t a duplicate
- I have read the contributing guidelines
- I agree to the terms within the code of conduct
What is the problem you’re trying to solve?
GitHub is reporting two security vulnerabilities when using the kinde-python-sdk package:
GHSA-248v-346w-9cwc
GHSA-9wx4-h78v-vm56
These are both caused by dependencies defined in the pyproject.toml of this package.
What solution would you like to see?
- As far as I can tell,
requestsisn't even used in this package (I can't find any imports). Can it be removed from the list of dependencies? - Can the remaining dependencies (but
certifiin particular) be updated to the latest versions? - Please consider less strict pinning of dependencies. You're pinning quite specific versions here, which leads to two problems:
- When the Kinde SDK is used in a project with other packages, the dependency requirements may conflict with those of other packages.
- More frequent updates to versions are required (e.g. in the case of security issues like this).
For some packages (e.g. certifi), removing the version pin entirely may be appropriate. For other packages, if you don't want to remove version pins entirely, perhaps you could change the version pins so you're only pinning the major version? E.g. urllib3 ~=2.2.
Additional information
I've reported this here rather than through the security vulnerability disclosure process, as the certifi vulnerability is already public (see #44) and requests isn't used in the code.