Currently, I'm updating Sentry on pkgsrc while working on it I found out that most of the requirements are out of date and that present a security issue. Using the current version of some pkg is always beneficial for new features or improvement and security reason.
I would be great if in your next version you made it possible to update those all out of dates packages in requirements if possible.
botocore<1.5.71
boto3>=1.4.1,<1.4.6
celery>=3.1.8,<3.1.19
click>=5.0,<7.0cryptography>=1.3,<1.4
cssutils>=0.9.9,<0.10.0
Django>=1.6.11,<1.7
django-crispy-forms>=1.4.0,<1.5.0
django-jsonfield>=0.9.13,<0.9.14
django-picklefield>=0.3.0,<0.4.0
django-sudo>=2.1.0,<3.0.0
django-templatetag-sugar>=0.1.0
djangorestframework>=2.4.8,<2.5.0
email-reply-parser>=0.2.0,<0.3.0
enum34>=1.1.6,<1.2.0
exam>=0.5.1
functools32>=3.2.3,<3.3
futures>=3.2.0,<4.0.0
broken on python3
hiredis>=0.1.0,<0.2.0
honcho>=1.0.0,<1.1.0
kombu==3.0.35
ipaddress>=1.0.16,<1.1.0
loremipsum>=1.0.5,<1.1.0
jsonschema==2.6.0
lxml>=3.4.1
mock>=0.8.0,<1.1
mmh3>=2.3.1,<2.4
oauth2>=1.5.167
parsimonious==0.8.0
percy>=1.1.2
petname>=2.0,<2.1
Pillow>=3.2.0,<=4.2.1
progressbar2>=3.10,<3.11
psycopg2>=2.6.0,<2.8.0
PyJWT>=1.5.0,<1.6.0
pytest>=3.5.0,<3.6.0
pytest-django>=2.9.1,<2.10.0
pytest-html>=1.9.0,<1.10.0
python-dateutil>=2.0.0,<3.0.0
python-memcached>=1.53,<2.0.0
python-openid>=2.2
PyYAML>=3.11,<3.12
querystring_parser>=1.2.3,<2.0.0
raven>=6.0.0,<=6.4.0
redis>=2.10.3,<2.10.6
requests[security]>=2.18.4,<2.19.0
selenium==3.11.0
simplejson>=3.2.0,<3.9.0
six>=1.10.0,<1.11.0
setproctitle>=1.1.7,<1.2.0
statsd>=3.1.0,<3.2.0
strict-rfc3339>=0.7
structlog==16.1.0
sqlparse>=0.1.16,<0.2.0
symbolic>=5.0.0,<6.0.0
toronado>=0.0.11,<0.1.0
ua-parser>=0.6.1,<0.8.0
urllib3>=1.22,<1.23
uwsgi>2.0.0,<2.1.0
rb>=1.7.0,<2.0.0
qrcode>=5.2.2,<6.0.0
python-u2flib-server>=4.0.1,<4.1.0
redis-py-cluster>=1.3.4,<1.4.0
jsonschema==2.6.0
djadk84
All 2 comments
If you could identify ones that can be upgraded without breaking anything, that's fine, but we keep things pinned for many reasons. When there are actual security issues that pertain to us, we update them. Otherwise, we don't update simply for shiny new features due to risk of introducing bugs or unintended behavior.
Lots of our dependencies are very core to Sentry and can't just be updated trivially. A good example of this is Django.
We keep things pinned to what we're comfortable with allowing Sentry to function as cohesive software. If we let people install things outside of this scope, it will only increase the confusion and burden on us with people hitting issues.
mattrobenolt
on 11 May 2018
I agree with some point you raised, but here is some concern. Like Django, Sentry is running on a version of Django>=1.6.11,<1.7 that is no longer supported by upstream django life cycle, but also I know Django make it hard to upgrade without major changes. Running an EOL software has his risk and lately, hackers are on the offensive scanning every IP and exploiting any vulnerabilities.
djadk84
on 14 May 2018
Related issues
phiresky
路
3Comments
mattrobenolt
路
3Comments
dcramer
路
4Comments
Aletz-Arce
路
3Comments
nickolaskraus-wf
路
3Comments
Most helpful comment
I agree with some point you raised, but here is some concern. Like Django, Sentry is running on a version of Django>=1.6.11,<1.7 that is no longer supported by upstream django life cycle, but also I know Django make it hard to upgrade without major changes. Running an EOL software has his risk and lately, hackers are on the offensive scanning every IP and exploiting any vulnerabilities.