Comments (9)
cletomartin
commented on June 12, 2024
1
@markuszoeller I'm publishing now the new version.
from auditree-arboretum.
cletomartin
commented on June 12, 2024
1
@markuszoeller it should be available now https://pypi.org/project/auditree-arboretum/.
from auditree-arboretum.
jhart1685
commented on June 12, 2024
To echo @markuszoeller 's comments, it's not clear to me why arboretum needs pyyaml<5.4
Not only is 5.3.1 old and vulnerable, it causes dependency problems for any projects that consume arboretum and require a newer version of pyyaml.
Moreover, it looks like the pyyaml developers are no longer backporting fixes to the 5.x release. For example, versions 5.4 & 5.4.1 don't work with Python 3.10 and above (due to a fix around cython sources not getting backported).
Ideally, I think that explicit version dependency should be removed, allowing it to pick up the latest (currently 6.0.1).
@alfinkel @cletomartin - will you accept a PR for that change? Are successful unit tests enough evidence that it does not cause a regression?
from auditree-arboretum.
alfinkel
commented on June 12, 2024
I don't think #54 (comment) was a typo but it was 2.5 years ago when I made the comment. There may have been an issue with syntactical usage around the package and the code but again, I can't say definitively as it was quite a while ago.
Also, I'm not sure that passing unit tests is an indicator that all would be OK as I don't think we had optimal unit test coverage (at least in the past).
But I'll defer to @cletomartin since he's probably more up to date with auditree/arboretum these days.
from auditree-arboretum.
jhart1685
commented on June 12, 2024
Ok - thanks @alfinkel .. I might be missing something here, but I can't even see where or why that original PR required pyyaml. Certainly it's not used directly anywhere, and there's no obvious new indirect dependency added via that PR.
A pip inspect (or pip show pyyaml) in arboretum shows pyyaml being indirectly needed only by bandit, pre-commit and markdown-it-py.
from auditree-arboretum.
markuszoeller
commented on June 12, 2024
Certainly it's not used directly anywhere
It's used here:
That's the only place I could find and I would be surprised if that doesn't work anymore with a newer version.
from auditree-arboretum.
jhart1685
commented on June 12, 2024
Ah - thanks for putting me straight @markuszoeller !
from auditree-arboretum.
cletomartin
commented on June 12, 2024
Thanks @markuszoeller! I don't think there is a good reason for keeping that restriction. I vaguely remember we had a problem with that specific version of pyyaml long time ago so this could be the case that we forgot to release the restriction when the issue was fixed.
I have created #69 for fixing this.
from auditree-arboretum.
markuszoeller
commented on June 12, 2024
@markuszoeller I'm publishing now the new version.
@cletomartin JFYI, I don't see it yet on PyPi, so I cannot consume it yet. Could you take a look at the release please?
from auditree-arboretum.
Related Issues (20)
- Collaborator request HOT 4
- Migrate evidence locker integrity f/c's HOT 1
- Add repo integrity checks (and more fetchers)
- Add unit tests for new evidence classes
- Add an auditree evidence too large check
- Collaborator request HOT 1
- Check planted evidence
- Use get_historical_evidence helper in checks HOT 3
- Add a Github issues fetcher
- Add a Zenhub workspace fetcher for GH(E) issues
- Migrate IBM Cloud Databases fetchers with multiple resource_group_ids enhancement
- New feature: GitHub organization, direct repo collaborators check HOT 1
- new feature: create OSCAL json report from compliance operator evidence
- New feature: GitHub organization, repo collaborators, forks and teams fetcher
- Fix repo metadata filtered_content attribute collision
- New feature: Github source code repos permissions check HOT 1
- Add check results summary and python packages summary reports
- Fix Org Collaborators check for missing evidence HOT 1
- Persistent failure report
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from auditree-arboretum.