Upgrade grcpio to 1.53.0 #359

jackdawm · 2023-08-01T18:39:12Z

What was changed

Require minimum version 1.53.0 of grpcio.

Why?

Resolves the high severity CVE-2023-32731, which is applicable as long as grcpio is used.
Also resolves the high severity CVE-2023-1428, however, I do not believe that one applies to our use of grpc.

Checklist

How was this tested:
Ran poe test locally.

cretz · 2023-08-02T17:24:16Z

pyproject.toml

@@ -31,7 +31,7 @@ generate-setup-file = true
 "Bug Tracker" = "https://github.com/temporalio/sdk-python/issues"

 [tool.poetry.dependencies]
-grpcio = { version = "^1.48.0", optional = true }
+grpcio =  {version = "^1.53.0", optional = true}


Brace format is a little off, but no worries. I can clean that up another time. Thanks!

cretz · 2023-08-02T17:25:20Z

Note, grpcio is an opt-in choice for users, we don't really use it (but we gen code that uses it).

jackdawm added 2 commits August 1, 2023 14:16

Upgrade grpcio to 1.53.0

7609df7

Make it optional this time

db0f9b4

jackdawm requested a review from a team as a code owner August 1, 2023 18:39

cretz approved these changes Aug 2, 2023

View reviewed changes

cretz merged commit 63f63ae into temporalio:main Aug 2, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Upgrade grcpio to 1.53.0 #359

Upgrade grcpio to 1.53.0 #359

Uh oh!

jackdawm commented Aug 1, 2023

Uh oh!

cretz Aug 2, 2023 •

edited

Loading

Uh oh!

cretz commented Aug 2, 2023

Uh oh!

Uh oh!

Upgrade grcpio to 1.53.0 #359

Upgrade grcpio to 1.53.0 #359

Uh oh!

Conversation

jackdawm commented Aug 1, 2023

What was changed

Why?

Checklist

Uh oh!

cretz Aug 2, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

cretz commented Aug 2, 2023

Uh oh!

Uh oh!

cretz Aug 2, 2023 •

edited

Loading