Skip to content

Use pipenv for managing dependencies#139

Merged
hbradio merged 4 commits into
rovercode:developmentfrom
cabarnes:pipenv
May 12, 2018
Merged

Use pipenv for managing dependencies#139
hbradio merged 4 commits into
rovercode:developmentfrom
cabarnes:pipenv

Conversation

@cabarnes

@cabarnes cabarnes commented May 12, 2018

Copy link
Copy Markdown
Member

pipenv is now the recommended tool for managing python dependencies (https://packaging.python.org/tutorials/managing-dependencies/#managing-dependencies).

A good explanation of the advantages https://opensource.com/article/18/2/why-python-devs-should-use-pipenv

The check command found the following vulnerabilities in the dependencies that were being used:

35178: django-anymail <1.4 resolved (0.7 installed)!
In django-anymail before 1.4 the webhook validation was vulnerable to a timing attack. An attacker could have used this to obtain the WEBHOOK_AUTHORIZATION shared secret, potentially allowing them to post fabricated or malicious email tracking events to the app.

35198: django-anymail >=0.2,<1.4 resolved (0.7 installed)!
In django-anymail v0.2–v1.3 the WEBHOOK_AUTHORIZATION key might get leaked if DEBUG=True since it isn’t sanitized properly.

35034: django-allauth <0.34.0 resolved (0.30.0 installed)!
On django-allauth before 0.34.0 the "Set Password" view did not properly check whether or not the user already had a usable password set. This allowed an attacker to set the password without providing the current password, but only in case the attacker already gained control over the victim's session.

@cabarnes cabarnes requested a review from hbradio May 12, 2018 03:08
@coveralls

coveralls commented May 12, 2018

Copy link
Copy Markdown

Coverage Status

Coverage remained the same at 100.0% when pulling 0830372 on cabarnes:pipenv into 67ac6ef on rovercode:development.

@hbradio

hbradio commented May 12, 2018

Copy link
Copy Markdown
Collaborator

Holy cow, why have I not heard of this? I love the idea of combining installation and the virtual environment.

The lockfile is an interesting format. It's cool that it includes hashes.

I did a docker-compose build on my machine, and everything went well.

@hbradio hbradio merged commit 079d08e into rovercode:development May 12, 2018
@cabarnes cabarnes deleted the pipenv branch May 13, 2018 01:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hbradio hbradio hbradio approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cabarnes @coveralls @hbradio