Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace "passlib" with direct calls to bcrypt #304

Closed
LilDojd opened this issue Sep 17, 2024 · 1 comment · Fixed by #306
Closed

Replace "passlib" with direct calls to bcrypt #304

LilDojd opened this issue Sep 17, 2024 · 1 comment · Fixed by #306
Assignees
@dotsdl
Milestone
Release 0.5.2 - p...

Comments

@LilDojd
Copy link
Contributor

LilDojd commented Sep 17, 2024
edited
Loading

Description:

It has come to my attention that passlib is no longer actively maintained, with the last release dating back to 2020. This raises concerns about potential CVE and long-term compatibility.

Furthermore, when using bcrypt versions higher than 4.0.1, I encountered an issue similar to pyca/bcrypt#684. This suggests that passlib may not be compatible with the latest versions of bcrypt that is installed with conda in your environments.

Pinning bcrypt to version 4.0.1 is not a sustainable solution, as it could expose users to future security vulnerabilities that are addressed in newer releases.

Proposal:

I recommend replacing the usage of passlib with the bcrypt library directly. I will draft a PR shortly. This is not a high priority issue, so feel free to triage as you please

References:
LilDojd added a commit to LilDojd/alchemiscale that referenced this issue Sep 18, 2024
@LilDojd
♻️(deps): remove passlib dependency
71e0efb 
fixes OpenFreeEnergy/alchemiscale/OpenFreeEnergy#304
@LilDojd LilDojd mentioned this issue Sep 18, 2024
Merged
@dotsdl
Copy link
Member

dotsdl commented Sep 20, 2024

Thanks for raising this @LilDojd! Really appreciate your help with this. 🙏

Will review your PR #306 as part of our next sprint cycle.

@dotsdl dotsdl self-assigned this Oct 2, 2024
@ianmkenney ianmkenney linked a pull request Nov 13, 2024 that will close this issue
Replace passlib with bcrypt #306
Merged
@github-project-automation github-project-automation bot moved this from Sprint - In Review to Done in alchemiscale : advancement sprints Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dotsdl dotsdl

Labels
None yet
Projects
alchemiscale : advancement sprints
Status: Done
Milestone
Release 0.5.2 - py2neo+grolt updates ...
Development

Successfully merging a pull request may close this issue.

Replace passlib with bcrypt LilDojd/alchemiscale
2 participants
@dotsdl @LilDojd