Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade apispec from 0.39 to 1.0.0 #4173

Closed
3 tasks
jason-upchurch opened this issue Jan 31, 2020 · 1 comment
Closed
3 tasks

Upgrade apispec from 0.39 to 1.0.0 #4173

jason-upchurch opened this issue Jan 31, 2020 · 1 comment
Labels
Dependencies Pull requests that update a dependency file Work: Back-end Work: PI 13 no milestone

Comments

@jason-upchurch
Copy link
Contributor

jason-upchurch commented Jan 31, 2020
edited
Loading

Update

This vulnerability was already addressed by @lbeaufort under #4236. Closing as a vulnerability, keeping open as a general upgrade.

This issue has become a high-security vulnerability:

  ✗ Arbitrary Code Execution [High Severity][https://snyk.io/vuln/SNYK-PYTHON-PYYAML-559098] in PyYAML@5.3.1
    introduced by apispec@0.39.0 > PyYAML@5.3.1 and 2 other path(s)
  No upgrade or patch available

Summary

several breaking changes exist between apispec 0.39 and 1.0.0. Existing PR from issue #4150 provides a portion of the upgrade (see branch feature/4079-apispec-upgrade), however some of the cosmetic appearance of the swagger ui changes because the basePath is no longer stripped from paths in apispec.

This issue is to do the actual upgrade (suggest using the work from #4079 up to this point. Original issue to research upgrading was #4079)

Completion criteria

  • apispec upgraded to 1.0.0

Technical considerations

  • flask-apispec also is upgraded (to 0.8.0)
  • cosmetic differences in swagger ui may be ok in the short term given a long-term upgrade to openapi version 3.0.0 may be in store at some point, and the basePath is removed from that version
@jason-upchurch jason-upchurch added Dependencies Pull requests that update a dependency file Work: Back-end labels Jan 31, 2020
@jason-upchurch jason-upchurch added this to the Sprint 11.6 milestone Jan 31, 2020
@jason-upchurch jason-upchurch mentioned this issue Jan 31, 2020
Closed
2 tasks
@jason-upchurch jason-upchurch changed the title Upgrade apispec from 0.39 to 1.0.0 [Snyk: High severity] arbitrary code execution, Upgrade apispec from 0.39 to 1.0.0 (Due: 4/28/2020) Mar 30, 2020
@jason-upchurch jason-upchurch added the Security: high Remediate within 30 days label Mar 30, 2020
@jason-upchurch jason-upchurch self-assigned this Mar 30, 2020
@jason-upchurch jason-upchurch changed the title [Snyk: High severity] arbitrary code execution, Upgrade apispec from 0.39 to 1.0.0 (Due: 4/28/2020) Upgrade apispec from 0.39 to 1.0.0 Mar 30, 2020
@jason-upchurch jason-upchurch removed the Security: high Remediate within 30 days label Mar 30, 2020
@JonellaCulmer JonellaCulmer removed this from the Sprint 12.1 milestone Apr 6, 2020
@cnlucas
Copy link
Member

cnlucas commented Aug 9, 2023

This was closed during the Flask upgrade we are now on 4.0.0

@cnlucas cnlucas closed this as completed Aug 9, 2023
@patphongs patphongs mentioned this issue Feb 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Dependencies Pull requests that update a dependency file Work: Back-end Work: PI 13 no milestone
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pkfec @JonellaCulmer @jason-upchurch @cnlucas