conda-lock icon indicating copy to clipboard operation
conda-lock copied to clipboard
verified publisher icon conda

Make gitpython dependency optional?

Open bollwyvl opened this issue 3 years ago • 6 comments

#204's adding the hard dep on gitpython lights up vulnerability scanners for CVE-2022-24439. Here's the upstream issue:

  • https://github.com/gitpython-developers/GitPython/issues/1515

As there's no particular timeline for a fix, perhaps the gitpython dependency could be made optional, as with pip for the non-vendored bits of poetry?

bollwyvl avatar Dec 14 '22 20:12 bollwyvl

Strawman PR up in #297.

bollwyvl avatar Dec 14 '22 21:12 bollwyvl

Thanks!

bollwyvl avatar Dec 15 '22 23:12 bollwyvl

CVE-2024-22190 is up. can we reconsider the hard dep, and make it an extra?

bollwyvl avatar Jan 12 '24 17:01 bollwyvl

Ugh, yes, given the history I think making it an extra makes a lot of sense.

maresb avatar Jan 12 '24 18:01 maresb

As mentioned before: as of now, conda install conda-lock pulls in 85 transient deps. I'd really like to see a conda-lock-explicit, which:

  • pulled in as few dependencies as possible
  • exposed only a bare-bones argparse CLI, if any
  • read (multiple) environment.yml files
  • generated @EXPLICIT files
    • without clever magic comments
    • portable to all conda-compatible clients, constructor, SBOM tools, etc.

Pretty much everything else could be an entry_point-driven plugin.

bollwyvl avatar Jan 13 '24 17:01 bollwyvl

@bollwyvl, Seems like a bit of a project, but I'd totally support that. I think it'd help a lot with code quality too. I don't really have any time to push it forward right now though.

@mariusvniekerk, what do you think?

maresb avatar Jan 13 '24 17:01 maresb