-
Notifications
You must be signed in to change notification settings - Fork 70
Fix lxml and distutils compatibility for Python 3.13 #388
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
a49195d
bcc998b
9075f39
99d98fe
76a0d08
fa86dae
e22a0e5
7ad7b1d
9f4f5c4
5254072
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,7 +3,8 @@ beautifultable==0.7.0 | |
| boto3>=1.9.88 | ||
| click==6.7 | ||
| docker==3.6.0 | ||
| lxml==4.6.2 | ||
| lxml>=4.6.2,<5.0; python_version < "3.12" | ||
| lxml>=5.0.0; python_version >= "3.12" | ||
|
Comment on lines
+6
to
+7
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔒 Security & Privacy | 🟠 Major 🧩 Analysis chain🏁 Script executed: #!/bin/bash
rg -n -C2 --type=py '\bfrom lxml\b|\bimport lxml\b|\biterparse\s*\(|\bETCompatXMLParser\s*\(' .Repository: Cloud-CV/evalai-cli Length of output: 157 🌐 Web query:
💡 Result: The vulnerability GHSA-vfmq-68hx-4jfw (also tracked as PYSEC-2026-87 and CVE-2026-41066) was fixed in lxml 6.1.0 [1][2][3]. Consequently, there is no patched lxml 5.x release for this issue, as it remained unpatched in the 5.x series [1][4]. Lxml 5.0.0 is affected by this vulnerability because the default configuration for iterparse and ETCompatXMLParser still allowed entity resolution (resolve_entities=True) at that time [1][2]. While lxml 5.0 introduced a change to default resolve_entities='internal' for normal XML and HTML parsers, this change was not applied to iterparse or ETCompatXMLParser until version 6.1.0 [1][2]. Citations:
Bump GHSA-vfmq-68hx-4jfw affects Update both markers to require 6.1.0 minimum: required changeEven though no explicit [remove: and security flags once updated.] 🧰 Tools🪛 OSV Scanner (2.4.0)[HIGH] 6-6: lxml 5.0.0: undefined (PYSEC-2026-87) [HIGH] 6-6: lxml 5.0.0: lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
| python-dateutil==2.7.3 | ||
| requests==2.25.1 | ||
| validators==0.12.6 | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,10 +1,15 @@ | ||
| #!/usr/bin/env python | ||
| import io | ||
| import os | ||
| import sys | ||
|
|
||
| from setuptools import setup, find_packages | ||
| from setuptools.command.test import test as TestCommand | ||
| from distutils.util import convert_path | ||
|
|
||
|
|
||
| # We use a manual way to find the version file path for CI compatibility | ||
| def get_version_path(*paths): | ||
| return os.path.join(os.path.dirname(__file__), *paths) | ||
|
|
||
|
|
||
| class PyTest(TestCommand): | ||
|
|
@@ -15,13 +20,12 @@ def finalize_options(self): | |
|
|
||
| def run_tests(self): | ||
| import pytest | ||
|
|
||
| sys.exit(pytest.main(self.test_args)) | ||
|
|
||
|
|
||
| PROJECT = "evalai" | ||
| package_config = {} | ||
| version_file_path = convert_path("evalai/version.py") | ||
| version_file_path = get_version_path("evalai", "version.py") | ||
|
|
||
| with io.open("README.md", encoding="utf-8") as f: | ||
| long_description = f.read() | ||
|
|
@@ -34,7 +38,9 @@ def run_tests(self): | |
|
|
||
| tests_require = [ | ||
| "coverage", | ||
| "flake8==7.1.2", | ||
| "packaging", | ||
| "coveralls==1.3.0", | ||
| "flake8==3.0.4", | ||
|
Comment on lines
+41
to
+43
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🩺 Stability & Availability | 🟠 Major 🧩 Analysis chain🌐 Web query:
💡 Result: No, Flake8 version 3.0.4 does not support Python 3.12 or Python 3.13. Flake8 3.0.4 was released on August 8, 2016 [1][2], long before the release of Python 3.12 or 3.13. Flake8 is tightly coupled to the version of Python on which it runs because it must be able to parse the syntax of the code it checks [3]. Support for Python 3.12 was only introduced much later, starting with Flake8 version 6.1.0, released in July 2023 [4]. Consequently, version 3.0.4 lacks the necessary infrastructure and language feature support to correctly parse or lint Python 3.12 or 3.13 code. Citations:
Remove the outdated
"packaging",
"coveralls==1.3.0",
"flake8==3.0.4",🤖 Prompt for AI Agents |
||
| "pytest==3.5.1", | ||
| "pytest-cov==2.5.1", | ||
| "pytest-env==0.6.2", | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎯 Functional Correctness | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
Repository: Cloud-CV/evalai-cli
Length of output: 654
🏁 Script executed:
sed -n '6,30p' evalai/utils/updates.pyRepository: Cloud-CV/evalai-cli
Length of output: 395
Return a parsed
Versionobject instead of a string fromget_latest_version()The helper sorts releases using
StrictVersionbut returns a raw string from the release list. Consequently,evalai/main.pycompares__version__andlatest_versionas strings, causing lexicographic errors (e.g.,0.9.0fails to trigger an update against0.10.0).Modify
get_latest_version()to return aStrictVersioninstance (strict_version = StrictVersion(versions[-1]); return strict_version) and updateevalai/main.pyto parse__version__before comparison:🤖 Prompt for AI Agents