[
https://issues.apache.org/jira/browse/FLINK-29796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17648177#comment-17648177
]
Nathanael England commented on FLINK-29796:
-------------------------------------------
Just wanted to bump this. Looking at
[https://github.com/apache/flink/blob/release-1.16/flink-python/setup.py#L314,]
it seems this has already made its way back to 1.16 if I'm understanding this
correctly? This is blocking me from pulling apache-flink in through our
requirements.txt since we require protobuf > 3.19 due to the security
vulnerabilities detailed
[here|https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf].
We use [pantsbuild|https://www.pantsbuild.org/] for python repo management so
there's no easy way to separate out our requirements for a temporary solution.
> pyflink protobuf requirement out of date
> ----------------------------------------
>
> Key: FLINK-29796
> URL: https://issues.apache.org/jira/browse/FLINK-29796
> Project: Flink
> Issue Type: Bug
> Components: API / Python
> Affects Versions: 1.16.0
> Reporter: Jorge Villatoro
> Priority: Major
>
> The setup.py file for pyflink currently requires protobuf<3.18 but the
> dev-requirements.txt file lists protubuf<=3.21 which seems to indicate that
> the library works with newer version of protobuf. The latest version of
> protobuf which satisfies the requirement was 3.17.3 which was released over a
> year ago, and notably the various gcloud api packages all require much newer
> versions (3.19+ I think). Obviously there are ways around this but the right
> answer is likely to ease/change the requirement.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
