Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature] Support sqlparse 0.5.0 #9949

Closed
3 tasks done
lkell opened this issue Apr 15, 2024 · 3 comments · Fixed by #9951
Closed
3 tasks done

[Feature] Support sqlparse 0.5.0 #9949

lkell opened this issue Apr 15, 2024 · 3 comments · Fixed by #9951
Labels
dependencies Changes to the version of dbt dependencies enhancement New feature or request

Comments

@lkell
Copy link

lkell commented Apr 15, 2024

Is this your first time submitting a feature request?

  • I have read the expectations for open source contributors
  • I have searched the existing issues, and I could not find an existing issue for this feature
  • I am requesting a straightforward extension of existing dbt functionality, rather than a Big Idea better suited to a discussion

Describe the feature

sqlparse < 0.5.0 contains a high severity vulnerability: GHSA-2m57-hf25-phgg.

dbt-core currently pins sqlparse to < 0.50, see https://github.com/dbt-labs/dbt-core/blob/ee74a60082b34c3a3d0df8a0d5d5cbfd7ec5ed6a/core/setup.py#L70C9-L70C31.

Upgrading the sqlparse dependency will allow dependent projects to use the patched version.

Describe alternatives you've considered

I don't think there are any real alternatives to upgrading sqlparse, since using a non-patched version would be problematic for many of the developers and organizations who use dbt.

Who will this benefit?

All users and organizations who want to use the patched version of sqlparse.

Are you interested in contributing this feature?

No response

Anything else?

No response

@lkell lkell added enhancement New feature or request triage labels Apr 15, 2024
@dbeatty10 dbeatty10 added the dependencies Changes to the version of dbt dependencies label Apr 16, 2024
@jtcohen6 jtcohen6 linked a pull request Apr 16, 2024 that will close this issue
5 tasks
@jtcohen6 jtcohen6 removed the triage label Apr 16, 2024
@dbeatty10
Copy link
Contributor

Thanks for reaching out @lkell 🏆

We opened up #9951 to bump sqlparse to the range of 0.5 to 0.6 to address this.

@rory-donaldson
Copy link

When is the next release expected that will contain this fix?

@emmyoop
Copy link
Member

emmyoop commented Apr 18, 2024

We will be releasing this fix in 1.8.0b3 (today) and back porting it to v1.7 and v1.6 (planned to release today).

Unfortunately, fixing this issue isn't straightforward for us for dbt-core v1.5.

While we'd love to update sqlparse to a safer version, it no longer supports Python 3.7, and dbt-core v1.5 relies on Python 3.7 compatibility. That means if we update sqlparse, we would break compatibility with our supported Python version.

Given that dbt-core v1.5 will soon reach its end of life, we've decided not to update sqlparse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Changes to the version of dbt dependencies enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants