[jira] [Commented] (FLINK-29796) pyflink protobuf requirement out of date

["Nathanael England (Jira)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/FLINK-29796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17648177#comment-17648177 ] 

Nathanael England commented on FLINK-29796:
-------------------------------------------

Just wanted to bump this. Looking at [https://github.com/apache/flink/blob/release-1.16/flink-python/setup.py#L314,] it seems this has already made its way back to 1.16 if I'm understanding this correctly? This is blocking me from pulling apache-flink in through our requirements.txt since we require protobuf > 3.19 due to the security vulnerabilities detailed [here|https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf]. We use [pantsbuild|https://www.pantsbuild.org/] for python repo management so there's no easy way to separate out our requirements for a temporary solution.

> pyflink protobuf requirement out of date
> ----------------------------------------
>
>                 Key: FLINK-29796
>                 URL: https://issues.apache.org/jira/browse/FLINK-29796
>             Project: Flink
>          Issue Type: Bug
>          Components: API / Python
>    Affects Versions: 1.16.0
>            Reporter: Jorge Villatoro
>            Priority: Major
>
> The setup.py file for pyflink currently requires protobuf<3.18 but the dev-requirements.txt file lists protubuf<=3.21 which seems to indicate that the library works with newer version of protobuf. The latest version of protobuf which satisfies the requirement was 3.17.3 which was released over a year ago, and notably the various gcloud api packages all require much newer versions (3.19+ I think). Obviously there are ways around this but the right answer is likely to ease/change the requirement.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)