pinned requests library is vulnerable

[atlas-pouriya]

Hi,

I was wondering if there's any specific reason to pin the requests version to ">=2.27.1, <=2.28"?

Since version 2.0.10 we've been using requests version "2.31.0" without any issues.

Here's the link to the vulnerability report.

[tepene]

And the ciscoisesdk can't be installed in an ansible project which uses ansible-lint in a version newer than 6.16.1.

vscode ➜ /workspaces/cisco_ise_operation (release/1.0.0) $ poetry add ciscoisesdk
Skipping virtualenv creation, as specified in config file.
Using version ^2.1.2 for ciscoisesdk

Updating dependencies
Resolving dependencies... (14.5s)

Because no versions of ciscoisesdk match >2.1.2,<3.0.0
 and ciscoisesdk (2.1.2) depends on requests (>=2.27.1,<=2.28), ciscoisesdk (>=2.1.2,<3.0.0) requires requests (>=2.27.1,<=2.28).
And because ansible-lint (6.21.1) depends on requests (>=2.31.0), ciscoisesdk (>=2.1.2,<3.0.0) is incompatible with ansible-lint (6.21.1).
So, because ansible depends on both ciscoisesdk (^2.1.2) and ansible-lint (6.21.1), version solving failed.

[bvargasre]

Hi @atlas-pouriya

The restriction of requests >=2.27.1, <=2.28 has been removed. I am going to close the issue, in case of any problem feel free to reopen the issue or create a new one Regards

[atlas-pouriya]

Thanks @bvargasre