rich icon indicating copy to clipboard operation
rich copied to clipboard

Published 20 hours ago verified publisher icon Textualize

Fix dependabot alert

Open willmcgugan opened this issue 2 years ago • 2 comments

https://github.com/Textualize/rich/security/dependabot/2

willmcgugan avatar Jun 28 '22 13:06 willmcgugan

Don't know how to make the above link public, here's a screenshot.

Pretty sure it just requires a bump of ipywidgets. We should bump it just enough to get rid of the issue, and check the Jupyter stuff still works.

Screenshot 2022-06-29 at 09 21 32

willmcgugan avatar Jun 29 '22 08:06 willmcgugan

It seems that the fact that Rich supports Python 3.6 prevents us from being able to upgrade the package:

The current project's Python requirement (>=3.6.3,<4.0.0) is not compatible with some of the required packages Python requirement:

  • notebook requires Python >=3.7, so it will not be satisfied for Python >=3.6.3,<3.7

Because notebook (6.4.12) requires Python >=3.7

The security fix looks to not have been backported to older versions of the notebook package, unfortunately :pensive:

  • https://github.com/jupyter/notebook/security/advisories/GHSA-v7vq-3x77-87vg

As Python 3.6 stopped receiving security fixes more than 6 months ago, maybe we could stop supporting it in an upcoming version of Rich? :thinking: (which as a side-effect would also bring the joys of v3.7 into the Rich codebase of course, like modern typing annotations :star_struck: )

olivierphi avatar Jul 05 '22 09:07 olivierphi

I hope we solved your problem.

If you like using Rich, you might also enjoy Textual

github-actions[bot] avatar Dec 15 '22 11:12 github-actions[bot]