deps: bump msgpack requirement to 1.0.4

DifferentialOrange · DifferentialOrange · commit 52dcc3ddf88c · 2022-07-21T17:35:04.000+03:00
In this patch we bump msgpack requirement since version 1.0.4 has various vulnerability fixes (for example, [1]). Since the code is still compatible with msgpack-python and older msgpack, tests are not removed in this patch. 1. msgpack/msgpack-python#153
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
@@ -53,7 +53,7 @@ jobs:
             msgpack-deps: 'msgpack==0.6.2'
           - tarantool: '2.8'
             python: '3.10'
-            msgpack-deps: 'msgpack==1.0.0'
+            msgpack-deps: 'msgpack==1.0.4'
 
     steps:
       - name: Clone the connector
@@ -77,16 +77,12 @@ jobs:
           python-version: ${{ matrix.python }}
 
       - name: Install specific version of msgpack package
-        if: startsWith(matrix.msgpack-deps, 'msgpack==') == true
-        run: |
-          pip install ${{ matrix.msgpack-deps }}
-
-      - name: Install specific version of msgpack-python package
-        # msgpack package is a replacement for deprecated msgpack-python.
-        # To test compatibility with msgpack-python we must ignore
-        # requirements.txt install of msgpack package by overwriting it
-        # with sed.
-        if: startsWith(matrix.msgpack-deps, 'msgpack-python==') == true
+        # We want to enforce using modern msgpack since it has
+        # various vulnerability fixes. But the code is compatible
+        # with older msgpack versions and msgpack-python package.
+        # To this test compatibility we must ignore requirements.txt
+        # install of the newer msgpack package by overwriting it with sed.
+        if: matrix.msgpack-deps != ''
         run: |
           pip install ${{ matrix.msgpack-deps }}
           sed -i -e "s/^msgpack.*$/${{ matrix.msgpack-deps }}/" requirements.txt
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 ### Changed
+- Bump msgpack requirement to 1.0.4 (PR #223).
+  The only reason of this bump is various vulnerability fixes,
+  msgpack>=0.4.0 and msgpack-python==0.4.0 are still supported.
 
 ### Fixed
 
diff --git a/requirements.txt b/requirements.txt
@@ -1 +1 @@
-msgpack>=0.4.0
+msgpack>=1.0.4
diff --git a/setup.py b/setup.py
@@ -83,7 +83,7 @@ def find_version(*file_paths):
     cmdclass=cmdclass,
     command_options=command_options,
     install_requires=[
-        'msgpack>=0.4.0',
+        'msgpack>=1.0.4',
     ],
     python_requires='>=3',
 )

Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ def find_version(*file_paths):`
`83`	`83`	`cmdclass=cmdclass,`
`84`	`84`	`command_options=command_options,`
`85`	`85`	`install_requires=[`
`86`		`- 'msgpack>=0.4.0',`
	`86`	`+ 'msgpack>=1.0.4',`
`87`	`87`	`],`
`88`	`88`	`python_requires='>=3',`
`89`	`89`	`)`