New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
python-packages: bleach 1.4.3 -> 1.5 #21450
Conversation
@spacekitteh, thanks for your PR! By analyzing the history of the files in this pull request, we identified @FRidh to be a potential reviewer. |
0aa5d2e
to
d91edb9
Compare
d91edb9
to
a4ad787
Compare
}; | ||
|
||
buildInputs = with self; [ nose ]; | ||
propagatedBuildInputs = with self; [ six html5lib ]; | ||
propagatedBuildInputs = with self; [ six html5lib_0_9999999 pytestrunner pytest_303]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does bleach absolutely need that version of html5lib? And that specific version of pytest? And are pytest and pytestrunner runtime dependencies (that is, install_requires
)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Python devs often pin dependency versions in setup.py
or worse requirements.txt
which we then need to unpin. I guess that's what's going on here.
Yep to everything you said |
This needs to be backported into stable. |
Because we broke bleach with the html5lib bump? |
Yeah, for example matrix synapse. |
Sigh, why did I merge that bump in the first place; its causing nothing but trouble. I'll see if we can somehow revert to an older version of |
Unfortunately that is not possible because the CVE was in the second latest beta of html5lib. |
Unfortunately bleach depends on an older version of html5lib and cannot use the latest version because the sanitizer module has been moved out. mozilla/bleach#217 This item is cherry-picked to unbreak bleach and thus matrix-synapse on stable. (cherry picked from commit 2f977b4)
And it's in stable. |
Thanks! Yeah, the html5lib seems a bit crazy with these versions. |
html5lib-python 1.0 is blocked on this, for the record: html5lib/html5lib-python#307 (comment) |
Motivation for this change
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)