Skip to content

fix: #1108 - Replace ecdsa with cryptography #1114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: #1108 - Replace ecdsa with cryptography #1114

wants to merge 1 commit into from
+17 −16

Conversation

dacevedo12
Copy link

Fixes #1108

Fixes

A short description of what this PR does.

Checklist

  • I acknowledge that all my contributions will be made under the project's license
  • I have made a material change to the repo (functionality, testing, spelling, grammar)
  • I have read the Contribution Guidelines and my PR follows them
  • I have titled the PR appropriately
  • I have updated my branch with the main branch
  • I have added tests that prove my fix is effective or that my feature works
  • I have added the necessary documentation about the functionality in the appropriate .md file
  • I have added inline documentation to the code I modified

If you have questions, please file a support ticket.

@tiwarishubham635
Copy link
Contributor

Thanks for raising this PR. I can review this.

Copilot
Copilot AI reviewed Aug 7, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR replaces the ecdsa library with the cryptography library for handling ECDSA signature verification in the SendGrid Python SDK. This change affects the event webhook functionality that validates incoming webhook signatures from SendGrid.

Key changes:

  • Replaces ecdsa dependency with cryptography in package requirements
  • Updates imports and signature verification logic in the EventWebhook class
  • Updates documentation references across README and CONTRIBUTING files

Reviewed Changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
setup.py Replaces ecdsa dependency with cryptography>=45.0.6
sendgrid/helpers/eventwebhook/init.py Updates signature verification implementation to use cryptography library
README.rst Updates dependency documentation reference
README.md Updates dependency documentation reference
CONTRIBUTING.md Updates development dependency reference

@tiwarishubham635
Copy link
Contributor

I see the verify signature test is passing. So it seems to be fine. Can you please do the above mentioned changes so that we can merge it? Thanks!

@dacevedo12
Copy link
Author

@tiwarishubham635 Fixed

@dacevedo12
Copy link
Author

Hey @tiwarishubham635 , is there anything pending to merge this? One would expect security fixes to be a high priority for Twilio...

@dacevedo12
Copy link
Author

@tiwarishubham635 @twilio-product-security Hi, is there anything I can do to help speed up merging this security fix?

Kind regards,

@yonatan-shorani
Copy link

Hi, any update on this PR?
This change fixes a high-severity security vulnerability, and resolving it is important for us.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE for dependency ecdsa
3 participants
@dacevedo12 @tiwarishubham635 @yonatan-shorani