arpitjain099 opened a new pull request, #64928:
URL: https://github.com/apache/doris/pull/64928

   ### What problem does this PR solve?
   
   Issue Number: N/A
   
   Related PR: #63188
   
   Problem Summary:
   Three Python requirements files have dependency pins that allow installing 
versions with known security issues.
   
   **docker/runtime/doris-compose/requirements.txt**
   
   The `requests<=2.31.0` constraint sets an upper bound but no lower bound, so 
pip can resolve to any version below 2.31.0. Versions before 2.31.0 are 
affected by CVE-2023-32681 (Proxy-Authorization header leaked on cross-domain 
redirects). Changed to `requests>=2.31.0` to set a secure floor.
   
   **extension/dbt-doris/dev-requirements.txt**
   
   The `mysql-connector-python>=8.0.0,<8.3` lower bound allows versions with 
known authentication bypass issues. Raised the lower bound to `>=8.0.33` which 
includes the relevant fixes.
   
   **tools/cost_model_evaluate/requirements.txt**
   
   The `mysql_connector_repackaged==0.3.1` package is an unofficial third-party 
repackage of the MySQL connector whose last PyPI release was in 2014. Replaced 
with the official `mysql-connector-python>=8.0.33,<9` package. The code in 
`sql_executor.py` imports `mysql.connector` which both packages provide, so 
this is a drop-in replacement.
   
   ### Release note
   
   None
   
   ### Check List (For Author)
   
   - Test
       - [ ] Regression test
       - [ ] Unit Test
       - [x] Manual test (add detailed scripts or steps below)
         - Verified that `pip install -r 
docker/runtime/doris-compose/requirements.txt` resolves correctly with the new 
pin.
         - Confirmed `sql_executor.py` imports `mysql.connector` (the standard 
interface), not the repackaged module name.
       - [ ] No need to test or manual test. Explain why:
           - [ ] This is a refactor/code format and no logic has been changed.
           - [ ] Previous test can cover this change.
           - [ ] No code files have been changed.
           - [ ] Other reason
   
   - Behavior changed:
       - [x] No.
   
   - Does this need documentation?
       - [x] No.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to