Skip to content

fix: #1108 - Replace ecdsa with cryptography #1114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 11, 2025
Merged

fix: #1108 - Replace ecdsa with cryptography #1114

merged 2 commits into from
Sep 11, 2025
+17 −16

Conversation

dacevedo12
Copy link
Contributor

Fixes #1108

Fixes

A short description of what this PR does.

Checklist

  • I acknowledge that all my contributions will be made under the project's license
  • I have made a material change to the repo (functionality, testing, spelling, grammar)
  • I have read the Contribution Guidelines and my PR follows them
  • I have titled the PR appropriately
  • I have updated my branch with the main branch
  • I have added tests that prove my fix is effective or that my feature works
  • I have added the necessary documentation about the functionality in the appropriate .md file
  • I have added inline documentation to the code I modified

If you have questions, please file a support ticket.

@tiwarishubham635
Copy link
Contributor

Thanks for raising this PR. I can review this.

Copilot
Copilot AI reviewed Aug 7, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR replaces the ecdsa library with the cryptography library for handling ECDSA signature verification in the SendGrid Python SDK. This change affects the event webhook functionality that validates incoming webhook signatures from SendGrid.

Key changes:

  • Replaces ecdsa dependency with cryptography in package requirements
  • Updates imports and signature verification logic in the EventWebhook class
  • Updates documentation references across README and CONTRIBUTING files

Reviewed Changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
setup.py Replaces ecdsa dependency with cryptography>=45.0.6
sendgrid/helpers/eventwebhook/init.py Updates signature verification implementation to use cryptography library
README.rst Updates dependency documentation reference
README.md Updates dependency documentation reference
CONTRIBUTING.md Updates development dependency reference

@tiwarishubham635
Copy link
Contributor

I see the verify signature test is passing. So it seems to be fine. Can you please do the above mentioned changes so that we can merge it? Thanks!

@dacevedo12
Copy link
Contributor Author

@tiwarishubham635 Fixed

@dacevedo12
Copy link
Contributor Author

Hey @tiwarishubham635 , is there anything pending to merge this? One would expect security fixes to be a high priority for Twilio...

@dacevedo12
Copy link
Contributor Author

@tiwarishubham635 @twilio-product-security Hi, is there anything I can do to help speed up merging this security fix?

Kind regards,

@yonatan-shorani
Copy link

Hi, any update on this PR?
This change fixes a high-severity security vulnerability, and resolving it is important for us.

Thanks!

maksym-skorupskyi
maksym-skorupskyi approved these changes Sep 2, 2025
View reviewed changes
Copy link

@maksym-skorupskyi maksym-skorupskyi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR successfully addresses the security vulnerabilities in the ecdsa dependency by migrating to the industry-standard cryptography library. The implementation is clean and maintains backward compatibility.

Minor Suggestion:

Version Constraint: Consider if cryptography>=45.0.6 is too restrictive - you might want to allow a broader range like >=45.0.6,<46 to avoid forcing users to upgrade to very recent versions.

@garikkh garikkh mentioned this pull request Sep 10, 2025
Closed
tiwarishubham635
tiwarishubham635 approved these changes Sep 11, 2025
View reviewed changes
@tiwarishubham635 tiwarishubham635 merged commit 6828852 into sendgrid:main Sep 11, 2025
9 checks passed
@CoderJoshDK CoderJoshDK mentioned this pull request Sep 12, 2025
Open
8 tasks
@RichardTea
Copy link

This is a breaking change as it adds a new client requirement for a Rust toolchain that never existed before.

Please can such things be put behind a Major version change, this broke our build as we now have to explicitly mark this "patch" version as incompatible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@tiwarishubham635 tiwarishubham635 tiwarishubham635 approved these changes

+1 more reviewer

@maksym-skorupskyi maksym-skorupskyi maksym-skorupskyi approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE for dependency ecdsa
5 participants
@dacevedo12 @tiwarishubham635 @yonatan-shorani @RichardTea @maksym-skorupskyi