Hey team,
First off — love the library, it's been solid for our cTrader integration. Just flagging something we ran into while setting up CI/CD security scanning.
ctrader-open-api 0.9.2 pins a few dependencies to exact versions that currently carry 9 known CVEs:
Because the versions are hard-pinned (e.g. Twisted==24.3.0, protobuf==3.20.1 in pyproject.toml), we can't bump them on our end without breaking the install. We're currently working around it by ignoring these in pip-audit, but it'd be great to get them resolved upstream.
Even just loosening the pins to compatible ranges (e.g. protobuf>=3.20.2,<4 and Twisted>=24.7.0) would let downstream projects pick up the security fixes.
Would really appreciate any movement on this when you get a chance. Happy to help test if you push a pre-release.
Cheers
Hey team,
First off — love the library, it's been solid for our cTrader integration. Just flagging something we ran into while setting up CI/CD security scanning.
ctrader-open-api 0.9.2pins a few dependencies to exact versions that currently carry 9 known CVEs:Because the versions are hard-pinned (e.g.
Twisted==24.3.0,protobuf==3.20.1inpyproject.toml), we can't bump them on our end without breaking the install. We're currently working around it by ignoring these inpip-audit, but it'd be great to get them resolved upstream.Even just loosening the pins to compatible ranges (e.g.
protobuf>=3.20.2,<4andTwisted>=24.7.0) would let downstream projects pick up the security fixes.Would really appreciate any movement on this when you get a chance. Happy to help test if you push a pre-release.
Cheers