Move marshmallow-jsonschema to optional dependency to fix CVE-2024-6345#3420
Open
dwo wants to merge 2 commits intoflyteorg:masterfrom
Open
Move marshmallow-jsonschema to optional dependency to fix CVE-2024-6345#3420dwo wants to merge 2 commits intoflyteorg:masterfrom
dwo wants to merge 2 commits intoflyteorg:masterfrom
Conversation
setuptools was pinned <70 as a runtime dependency solely because marshmallow-jsonschema imports pkg_resources. This blocks the fix for CVE-2024-6345 (setuptools <70). Since the marshmallow-jsonschema code path is only a fallback (mashumaro is the primary JSON Schema generator), move marshmallow-jsonschema, marshmallow-enum, and setuptools into an optional extra. The existing try/except already handles the missing import gracefully. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Robin Tweedie <dwo@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Robin Tweedie <dwo@users.noreply.github.com>
dwo
requested review from
cosmicBboy,
davidmirror-ops,
kumare3,
machichima,
pingsutw,
samhita-alla and
wild-endeavor
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Tracking issue
https://www.cve.org/CVERecord?id=CVE-2024-6345
Why are the changes needed?
setuptoolswas pinned<70in #3388 as a runtime dependency solely becausemarshmallow-jsonschemaimportspkg_resourcesat runtime.This forces all flytekit users onto a setuptools version affected by CVE-2024-6345.
The
marshmallow-jsonschemacode path is only a fallback —mashumarois the primary JSON Schema generator, and the marshmallow path only triggers when mashumaro fails forDataClassJsonMixinclasses.The imports are already guarded by try/except, so nothing breaks when the package is absent.
marshmallow-jsonschemaitself appears unmaintained (last commit Oct 2023, multiple open PRs to removepkg_resourcesunmerged).An alternative would be to drop
marshmallow-jsonschemasupport entirely, sincemashumaroalready covers the primary path.What changes were proposed in this pull request?
marshmallow-jsonschema,marshmallow-enum, andsetuptoolsfrom core dependenciesmarshmallow-jsonschemaoptional extra with those packages (setuptools>=70,<82)>=70dev-requirements.into install the extra for testsHow was this patch tested?
Ran
test_type_engine.pyandtest_generice_idl_type_engine.py— 416 passed, 2 skipped.Check all the applicable boxes
Related PRs
#3388