botbuilder-python icon indicating copy to clipboard operation
botbuilder-python copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Issues with botbuilder core's pinned version of jsonpickle with Python 3.11

Open sohamM97 opened this issue 1 year ago • 4 comments

Version

botbuilder-core==4.16.1 jsonpickle==1.4.2 Python 3.11

Describe the bug

We have implemented our custom storage class for storing conversation/dialog/user state in redis. We use jsonpickle library to serialize and deserialize data. Since botbuilder-core 4.16.1 depends on jsonpickle<1.5 and >=1.2, we use version 1.4.2. We upgraded recently from Python 3.9 to 3.11, after which we started noticing problems with inconsistent behaviour of jsonpickle 1.4.2, which we have detailed under the "To Reproduce" section.

We saw that older versions of jsonpickle had an issue with Python 3.11: https://github.com/jsonpickle/jsonpickle/issues/395, which they fixed in later versions. Once we forcefully installed jsonpickle==3.3.0 in our environment, we noticed that the issue was resolved. So, it would be good if the pinned version of jsonpickle can be updated.

To Reproduce

Steps to reproduce the behavior:

For this, you will need to implement your custom storage class, overriding botbuilder core's Storage class.

  1. The method to read data should use jsonpickle's Unpickler class's restore method
  2. The method to write data should use jsonpickle's Pickler class's flatten method
  3. Save the dialog state using this custom storage class, and read it back.

Expected behavior

The contents of the object after writing and reading should be the same as the contents of the original object.

sohamM97 avatar Dec 06 '24 14:12 sohamM97

@sohamM97 Have you encountered any issues with 3.3.0 since this was posted?

tracyboehrer avatar Jan 28 '25 14:01 tracyboehrer

@tracyboehrer No, we didn't find any issues with jsonpickle 3.3.0 when we tried it with Python 3.11 and botbuilder core 4.16.1.

sohamM97 avatar Jan 29 '25 09:01 sohamM97

Is there any progress on this front? PVE-2024-72982 was recently published

demian-licht-hs avatar May 22 '25 08:05 demian-licht-hs

is it possible now to pin json pickle to 3.3.0 (or above) since there is a well known vulnerability in versions prior https://security.snyk.io/vuln/SNYK-PYTHON-JSONPICKLE-8136229?

chawlamark avatar Jun 23 '25 17:06 chawlamark

if you want to override jsonpickle in your project to fix this issue in uv here's the syntax:

pyproject.toml:

[tool.uv]
override-dependencies = [
    "jsonpickle>=3.3.0"
]

i have an extremely simple project but i haven't run into any issues yet

seantcanavan avatar Jul 10 '25 16:07 seantcanavan