Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Unpin attrs dep after new version has been released #9946

Merged
merged 2 commits into from
May 7, 2021
Merged

Unpin attrs dep after new version has been released #9946

merged 2 commits into from
May 7, 2021

Conversation

erikjohnston
Copy link
Member

@erikjohnston erikjohnston commented May 7, 2021
edited
Loading

attrs 21.2.0 has been released with the fix to evolve.

c.f. #9936

@erikjohnston erikjohnston requested a review from a team May 7, 2021 10:20
babolivier
babolivier approved these changes May 7, 2021
View reviewed changes
Copy link
Contributor

@babolivier babolivier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will we want to cherry-pick this into 1.33.2?

@erikjohnston
Copy link
Member Author

Will we want to cherry-pick this into 1.33.2?

Yeah probably, I'll make a release-v1.33.2 branch and we can merge it in there?

@babolivier
Copy link
Contributor

Will we want to cherry-pick this into 1.33.2?

Yeah probably, I'll make a release-v1.33.2 branch and we can merge it in there?

sgtm

callahad
callahad reviewed May 7, 2021
View reviewed changes
synapse/python_dependencies.py
@@ -79,7 +79,7 @@
# Fedora 31 only has 19.1, so if we want to upgrade we should wait until 33
# is out in November.)
# Note: 21.1.0 broke `/sync`, see #9936
"attrs>=19.1.0,<21.1.0",
"attrs>=19.1.0,!=21.1.0",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably unnecessary; 21.1.0 was yanked from PyPI, so it effectively no longer exists. We can go back to just attrs>=19.1.0

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mmm, true. Though I think since we know its bad we may as well leave it in there. I'm not sure if e.g. pypi mirrors and the like handle yanking etc.

@erikjohnston erikjohnston changed the base branch from develop to release-v1.33.2 May 7, 2021 11:57
@erikjohnston erikjohnston merged commit 4df26ab into release-v1.33.2 May 7, 2021
@erikjohnston erikjohnston deleted the erikj/unpin_attrs branch May 7, 2021 11:57
babolivier added a commit to matrix-org/synapse-dinsic that referenced this pull request Sep 1, 2021
@babolivier
Merge tag 'v1.33.2' into babolivier/dinsic_1.41.0
72efaa2 
Synapse 1.33.2 (2021-05-11)
===========================

Due to the security issue highlighted below, server administrators are encouraged to update Synapse. We are not aware of these vulnerabilities being exploited in the wild.

Security advisory
-----------------

This release fixes a denial of service attack ([CVE-2021-29471](GHSA-x345-32rc-8h85)) against Synapse's push rules implementation. Server admins are encouraged to upgrade.

Internal Changes
----------------

- Unpin attrs dependency. ([\#9946](matrix-org/synapse#9946))
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@callahad callahad callahad left review comments

@babolivier babolivier babolivier approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@erikjohnston @babolivier @callahad