-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PECO-1760] Certifi removes GLOBALTRUST root certificate #410
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jprakash-db Dependency upgrade looks good 👍 But please remove the .idea
folder from the PR. Also, what are that two files in src/databricks/sqlalchemy/test/
? Are they relevant to this PR?
@kravets-levko Fixed the issues |
@@ -27,6 +27,7 @@ sqlalchemy = { version = ">=2.0.21", optional = true } | |||
openpyxl = "^3.0.10" | |||
alembic = { version = "^1.0.11", optional = true } | |||
urllib3 = ">=1.26" | |||
certifi = "2024.7.4" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, so I checked where this dependency come from. It is a transitive dependency of requests
package. Also, I checked the requests
itself - its latest version also uses old certifi
. So I think in this case it's okay to add a consraint to our project and wait for requests
upgrade. Two more things to do:
- add a comment that once
requests
updatescertifi
to the version that will satisfy us - we should roll this change back and upgrae `requests instead - also, instead of pinning the exact version - better relax the constraint a bit (e.g. "^2024.7.4")
Updated the certify version to "2024.7.4"
Dependabot report:
Certifi 2024.07.04 removes root certificates from "GLOBALTRUST" from the root store. These are in the process of being removed from Mozilla's trust store.
GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues". Conclusions of Mozilla's investigation can be found here.