Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(deps): requests between >=2.32.0,<2.32.3 #660

Merged
merged 1 commit into from
Jun 4, 2024
Merged

build(deps): requests between >=2.32.0,<2.32.3 #660

merged 1 commit into from
Jun 4, 2024

Conversation

ricellis
Copy link
Member

@ricellis ricellis commented Jun 4, 2024
edited
Loading

PR summary

Constrain requests

  • >=2.32.0 for n CVE-2024-35195 fix.
  • <2.32.3 to avoid default certificate loading regression.

Fixes: #658

Note: An existing issue is required before opening a PR.

PR Checklist

Please make sure that your PR fulfills the following requirements:

  • The commit message follows the
    Angular Commit Message Guidelines.
  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)

PR Type

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • New tests
  • Build/CI related changes
  • Documentation content changes
  • Other (please describe)

Dependency change

What is the current behavior?

Regression loading default certificates with requests 2.32.3 prevents validating certifcate paths (and hence connecting).

What is the new behavior?

Constrain requests to working versions.

Does this PR introduce a breaking change?

  • Yes
  • No

Other information

This is temporary see also:

@ricellis
build(deps): requests between >=2.32.0,<2.32.3
a5e24ab 
>=2.32.0 for n CVE-2024-35195 fix.
<2.32.3 to avoid default certificate loading regression.
@ricellis ricellis self-assigned this Jun 4, 2024
@ricellis ricellis merged commit 73c11a6 into main Jun 4, 2024
9 checks passed
@ricellis ricellis deleted the 658-requests-version branch June 4, 2024 13:18
@ricellis ricellis mentioned this pull request Jul 10, 2024
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eiri eiri eiri approved these changes

Assignees

@ricellis ricellis

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Certificate error connecting to Cloudant with requests 2.32.3
2 participants
@ricellis @eiri