Skip to content
This repository was archived by the owner on Apr 23, 2025. It is now read-only.

Reported security vulnerability in dependency "future". #233

Closed
steve-mavens opened this issue Jan 4, 2023 · 4 comments
Closed

Reported security vulnerability in dependency "future". #233

steve-mavens opened this issue Jan 4, 2023 · 4 comments

Comments

@steve-mavens
Copy link

steve-mavens commented Jan 4, 2023
edited
Loading

Dependabot has just thrown this at my bingads code: GHSA-v3c5-jqr6-7qm8

On a quick search of the head of your main branch, it looks to me as though the only use of future is several cases of from future.utils import with_metaclass. That's thoroughly harmless, and I'm confident guessing that it's not subject to a vulnerability in cookie-handling code! Nothing else in my application uses future, so I can dismiss my dependabot alert.

Still, it might be helpful to your users if you cut the dependency on future by specifying your metaclasses in Python 3 syntax (judging by your trove classifiers, you no longer support Python 2 anyway). I've never used with_metaclass before, but I believe that for example: class _BulkEntityIdentifier(with_metaclass(ABCMeta, _BulkObject)): translates to class _BulkEntityIdentifier(_BulkObject, metaclass=ABCMeta):.

The last release of future was 3 years ago, so I don't know whether that's still maintained. Perhaps it will respond to the advisory with a fix, in which case there's no need to change anything, but it doesn't look promising: PythonCharmers/python-future#610

Even if you don't plan to change anything, I propose that this ticket might help anyone else who ends up here in the next few days because they got the same dependabot alert. Saves them doing the same check of the code :-)

If you are changing it, then while you're in there, there are some from __future__ import print_function and similar that are no longer needed provided you don't support Python 2.
@wpwood
Copy link

wpwood commented Jan 6, 2023

We're running into this issue, too. According to PythonCharmers/python-future#612 (comment), it doesn't look like future is going to be updated. They suggest removing future from usage, given that "It is supposed to help moving from Python 2 to 3. Python 2 has been dead for a long time."

@Kache
Copy link

Kache commented Jan 12, 2023
edited
Loading

Looks like v13.0.15 removes support for Python 2, but it missed removing the Python 2 compatibility deps like future and six

@steve-mavens
Copy link
Author

steve-mavens commented Jan 12, 2023
edited
Loading

v0.18.3 of future contains the fix to the cookie code: PythonCharmers/python-future@v0.18.2...v0.18.3 PythonCharmers/python-future@c91d70b

@qitia
Copy link
Collaborator

qitia commented Mar 6, 2023

yes we will remove six/future in vNext.

@qitia qitia closed this as completed Mar 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Kache @wpwood @qitia @steve-mavens