Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] detect-secrets can be incompatible with Python 3.12 due to deprecated boxsdk and six #160

Open
dnwe opened this issue Oct 10, 2024 · 0 comments

Comments

@dnwe
Copy link

dnwe commented Oct 10, 2024

Describe the bug

Out of the box detect-secrets can be incompatible with Python 3.12 because the deprecated boxsdk being pulled in still uses six, an old compatibility library than needs to be at least 1.16.0 to be compatible with Python 3.12

├── boxsdk [required: Any, installed: 3.13.0]
│   ├── attrs [required: >=17.3.0, installed: 24.2.0]
│   ├── python-dateutil [required: Any, installed: 2.9.0.post0]
│   │   └── six [required: >=1.5, installed: 1.15.0]

To Reproduce
Steps to reproduce the behaviour (using uv here, but any venv + py312 install would work):

  1. uv venv --python 3.12 && source .venv/bin/activate
  2. uv pip install six==1.15.0 "git+https://github.com/ibm/detect-secrets.git@master#egg=detect-secrets"
  3. detect-secrets scan .
  4. Fails with stacktrace and error ModuleNotFoundError: No module named 'six.moves'

Expected behaviour
detect-secrets should continue to work on Python 3.12

Suggested fix

In the short term, adding an explicit dependency in setup.py on six>=1.6 should prevent the incompatibility
In the longer term, migrating plugin/box.py to use box/box-python-sdk-gen following the migration guide here would be a better option. Our sdk usage is minimal, just doing a login attempt with any encountered

Screenshots
If applicable, add screenshots to help explain your problem.

Impact
detect-secrets not remaining compatible with supported Python versions in the future

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant