fix(deps): upgrade aioftp from ~=0.20.0 to ==0.27.2#3333
fix(deps): upgrade aioftp from ~=0.20.0 to ==0.27.2#3333
Conversation
aioftp ~=0.20.0 is flagged by the safety vulnerability database. Pin to 0.27.2 (latest stable) which resolves the advisory while maintaining full API compatibility with the existing FTP contact code (User, Permission, Server, ConnectionConditions, PathPermissions and worker are all present in the new release). Add tests/contacts/test_aioftp_version.py to assert the installed version meets the minimum threshold and that the server-side API surface expected by contact_ftp.py remains intact.
There was a problem hiding this comment.
Pull request overview
This PR upgrades aioftp to a non-vulnerable version and adds tests to prevent regressions in dependency versioning and the expected server-side API surface used by the FTP contact integration.
Changes:
- Pin
aioftpfrom~=0.20.0to==0.27.2inrequirements.txt. - Add tests to assert a minimum safe
aioftpversion and verify required server-side attributes exist.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| tests/contacts/test_aioftp_version.py | Adds dependency/version guardrails and basic API surface checks for aioftp. |
| requirements.txt | Pins aioftp to 0.27.2 to address the vulnerability flagged in 0.20.x. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
|
|
||
| def test_aioftp_version_meets_minimum(): | ||
| """aioftp must be >= 0.21.0 to avoid CVE / safety-DB advisory for 0.20.x.""" | ||
| version_str = importlib.metadata.version("aioftp") | ||
| parts = tuple(int(p) for p in version_str.split(".")[:3]) | ||
| assert parts >= (0, 21, 0), ( |
| for name in ("Server", "User", "Permission", "ConnectionConditions", | ||
| "PathPermissions", "worker"): | ||
| assert hasattr(aioftp, name), f"aioftp missing expected attribute: {name}" |
- Use packaging.version.Version for robust PEP 440 version comparison instead of manual split/int logic (avoids ValueError on pre/post suffixes) - Strengthen test_aioftp_server_api_intact to assert attributes are classes (not just present) and document that worker may be a function
There was a problem hiding this comment.
Pull request overview
Upgrades aioftp to a secure pinned version and adds guardrail tests to ensure the installed aioftp version and server-side API surface remain compatible with contact_ftp.py.
Changes:
- Pin
aioftpfrom~=0.20.0to==0.27.2inrequirements.txt. - Add tests that assert
aioftpis at/above a safe minimum version and exposes required server-side symbols.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| tests/contacts/test_aioftp_version.py | Adds version + API-surface assertions to detect insecure or incompatible aioftp installs. |
| requirements.txt | Pins aioftp to 0.27.2 to address the reported vulnerability. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| import inspect | ||
|
|
||
| import pytest |
| for name, expected_type in expected_classes.items(): | ||
| obj = getattr(aioftp, name, None) | ||
| assert obj is not None, f"aioftp missing expected attribute: {name}" | ||
| assert isinstance(obj, type), ( |
| ) | ||
|
|
||
| # worker may be a function or coroutine function rather than a class | ||
| assert hasattr(aioftp, "worker"), "aioftp missing expected attribute: worker" |
The hasattr check alone could produce false positives if worker exists but is non-callable. Also removes unused inspect and pytest imports.
There was a problem hiding this comment.
Pull request overview
Updates aioftp to a non-vulnerable release and adds regression tests to ensure the installed aioftp version and server-side API used by contact_ftp.py remain compatible.
Changes:
- Pin
aioftpto==0.27.2to remediate the Safety DB advisory affecting0.20.x. - Add tests validating
aioftpmeets a minimum safe version and exposes the expected server-side symbols.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| tests/contacts/test_aioftp_version.py | Adds version threshold and API surface assertions for aioftp. |
| requirements.txt | Pins aioftp to 0.27.2 to address the reported vulnerability. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| for name, expected_type in expected_classes.items(): | ||
| obj = getattr(aioftp, name, None) | ||
| assert obj is not None, f"aioftp missing expected attribute: {name}" | ||
| assert isinstance(obj, type), ( |
Summary
aioftp ~= 0.20.0is flagged by the safety vulnerability database as insecureaioftp == 0.27.2(latest stable release) which resolves the advisorycontact_ftp.py:User,Permission,Server,ConnectionConditions,PathPermissions, andworkerare all present and have the same signatures in 0.27.2Changes
requirements.txt:aioftp~=0.20.0→aioftp==0.27.2tests/contacts/test_aioftp_version.py: new tests asserting the installed version meets the minimum threshold (≥ 0.21.0) and that the server-side API surface expected bycontact_ftp.pyremains intactTest plan
pytest tests/contacts/test_aioftp_version.pypassestests/contacts/test_contact_ftp.py) still passpip install -r requirements.txtresolves without conflicts