Upgrade V1 Python microservice Cryptography Package

[mwm5945]

The crpytography package has released a new major version, which includes vulnerability fixes. Consumers of the microservice are unable to upgrade their own dependencies as it conflicts with the version Seldon allows.

Describe the bug

This line restricts the version of cryptography that can be installed:

seldon-core/python/setup.py

Line 41 in 60ffac4

"cryptography >= 39.0.1, < 41.1",

To reproduce

Attempt to install seldon-core with cryptography==42.x.x, i.e.

❯ cat requirements.txt
seldon-core==1.18.1
cryptography==42.0.5
❯ pip install -r requirements.txt
... <omitted package collection for brevity> 
INFO: pip is looking at multiple versions of seldon-core to determine which version is compatible with other requirements. This could take a while.
ERROR: Cannot install -r requirements.txt (line 1) and cryptography==42.0.5 because these package versions have conflicting dependencies.

The conflict is caused by:
    The user requested cryptography==42.0.5
    seldon-core 1.18.1 depends on cryptography<41.1 and >=39.0.1

To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip attempt to solve the dependency conflict

ERROR: ResolutionImpossible: for help visit https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-dependency-conflicts

Expected behaviour

Latest patched version of cryptography package can be used.

[mg515]

Any update on this @mwm5945 ?

[mwm5945]

Nope 🤷‍♂️On Jun 11, 2024, at 9:57 AM, miha g ***@***.***> wrote: Any update on this @mwm5945 ? —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>

[mg515]

Since there are security concerns with cryptography<42.0.0, I think we should go for the update within Seldon V1. Do we know why the hard pin is there in the first place? Breaking changes?