-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(polymorphic): Install package from git #10334
Conversation
Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.
Note 🟢 Risk threshold not exceeded. Change Summary (click to expand)The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective. Summary: The changes made in this pull request focus on updating the dependencies listed in the
From an application security perspective, these changes are generally positive as they help address known vulnerabilities and security issues by updating dependencies to their latest versions. However, there are a few points to consider:
Files Changed:
Powered by DryRun Security |
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
7039e58
to
09c0d04
Compare
DryRun Security SummaryThe provided code change updates the Expand for full summarySummary: The provided code change is an update to the From an application security perspective, the changes are generally positive, as they demonstrate a commitment to keeping dependencies up-to-date, which helps address known vulnerabilities. The majority of the dependencies have specific version numbers pinned, which is a good practice to ensure consistent and predictable application behavior. The use of a secure dependency source, such as the GitHub repository, is also a positive security practice. However, the comment regarding the deprecated Files Changed:
Code AnalysisWe ran
Riskiness🟢 Risk threshold not exceeded. |
Conflicts have been resolved. A maintainer will review the pull request shortly. |
I did some light reading on this one. The JazzBand account is in the process of taking over the polymorphic repo, and is still waiting on pypi access to transferred. I would imagine a formal release through pypi will be coming in the next couple weeks. I suspect there will be a handful of pypi packages we use that will block the python3.12 upgrade, so rushing on this may end up creating more churn for use in the long run. What do you think @kiblik @mtesauro ? |
The sad part is that the ticket for the takeover has been open for a couple of weeks without any progress. pypi/support#4164 It is hard to predict, how long we will need to wait. Plus it looks like the installation process is broken in this moment: https://github.com/DefectDojo/django-DefectDojo/actions/runs/10405827519/job/28817490858?pr=10334#step:5:1135 Plus, My conclusion: There are multiple blockers. So missing an upgrade of this one would not solve the whole situation. |
We are closing for now, but are tracking the progress of polymorphic so that we can upgrade to python 3.12 at a later date |
We would like to use polymorphic with python 3.12 or django 4, we need to install this package directly from git.
Context: