alchemiscale icon indicating copy to clipboard operation
alchemiscale copied to clipboard
verified publisher icon openforcefield

Replace "passlib" with direct calls to bcrypt

Open LilDojd opened this issue 1 year ago • 1 comments

Description:

It has come to my attention that passlib is no longer actively maintained, with the last release dating back to 2020. This raises concerns about potential CVE and long-term compatibility.

Furthermore, when using bcrypt versions higher than 4.0.1, I encountered an issue similar to https://github.com/pyca/bcrypt/issues/684. This suggests that passlib may not be compatible with the latest versions of bcrypt that is installed with conda in your environments.

Pinning bcrypt to version 4.0.1 is not a sustainable solution, as it could expose users to future security vulnerabilities that are addressed in newer releases.

Proposal:

I recommend replacing the usage of passlib with the bcrypt library directly. I will draft a PR shortly. This is not a high priority issue, so feel free to triage as you please

References:

LilDojd avatar Sep 17 '24 18:09 LilDojd

Thanks for raising this @LilDojd! Really appreciate your help with this. :pray:

Will review your PR #306 as part of our next sprint cycle.

dotsdl avatar Sep 20 '24 04:09 dotsdl