remove outdated vendored copies of dependencies: chardet httpsig_cffi idna jwt requests six urllib3

[pabs3]

I note that oci-python-sdk does extensive vendoring/embedding of dependencies and this potentially results in missing bug fixes for users of oci-python-sdk.

https://github.com/oracle/oci-python-sdk/
https://github.com/oracle/oci-python-sdk/tree/master/src/oci/_vendor

As an example, PyPI urllib3 is at version 1.26.9 but the oci-python-sdk vendor directory contains 1.26.4, which is missing several important bug fixes:

https://pypi.org/project/urllib3/#changes

If you hadn't vendored that dependency, users of oci-python-sdk would note that urllib3 is pulled in by oci-python-sdk, scanned the version number, noticed there were updates to fix bugs, reviewed the changes and upgraded to the latest version.

I haven't checked the other vendored dependencies for new releases, but I note the last time the vendored dependencies saw version updates was May 2021, which is almost a year ago, which is a very long time in open source, especially for active projects like requests and urllib3.

A similar class of problem is pinning dependencies, but I see that you have thankfully resolved that, but some of the version ranges are still too restrictive.

#343
#419

[github-anurag]

@pabs3
We have updated the following dependencies to a version (what we can safely update) is Release 2.69.0. The upgraded dependencies are as follows:-

    The vendored dependency requests was updgraded from version 2.21.0 to 2.27.1
    The vendored dependency urllib3 was updgraded from version 1.24.1 to 1.26.9
    The vendored dependency chardet was updgraded from version 3.0.4 to 4.0.0
    The vendored dependency idna was updgraded from version 2.8 to 2.10
    The vendored dependency six was updgraded from version 1.12.0 to 1.16.0

The httpsig_cffi is a signing library that we have modified to keep up with the latest cryptography library and has no updates.
The next plan is to move to ranges in the next Major version bump for v3.0 of the Python SDK similar to the line of what you have suggested. Feel free to keep this issue open till that happens to track it.

[pabs3]

Thanks for the update on this situation. The latest version of idna is 3.3, any reason not to use that? https://pypi.org/project/idna/#history Since Python 2 is now EOL and security unsupported, you can probably just drop use of six and switch to solely using Python 3 syntax. Please send another update when the vendored dependencies have been removed and replaced with ranged deps for v3.0 of the Python SDK. Modified vendored dependencies of unmaintained projects are very concerning, especially for cryptography projects. Should I file a second issue to discuss and track the httpsig_cffi situation?

…

-- bye, pabs https://bonedaddy.net/pabs3/

[pabs3]

@github-anurag what is the status of this issue and of the upcoming v3.0 of the OCI Python SDK?

You can remove the vendored dependencies using these commands:

git rm -r src/oci/_vendor/
git sed 'from oci\._vendor import ' 'import '
git sed 'from oci\._vendor\.' 'from '
git sed 'from \._vendor import ' 'import '
git sed 'httpsig_cffi' 'httpsig'

I have rebased my patch removing the vendored dependencies to master:

master...pabs3:oci-python-sdk:unvendor

[pabs3]

@github-anurag PS: I intend to upload oci-python-sdk to Debian and
this issue is blocking the upload, so I will probably have to
upload my fork of the project to Debian or patch out the deps.

[pabs3]

FTR: I no longer intend to package oci-python-sdk/oci-cli for Debian, so this issue isn't blocking me, but it would still be a good idea to remove the the vendored deps from the OCI Python SDK.

[mpise]

Hi @github-anurag,

Is it possible to update _vendor packages in OCI sdk?
We see CVE-2022-29217 in _vendored/jwt package.