Pip install - aiohttp CVE update (v3.7.4) is incompatible with botbuilder 4.12.0 modules

[james-flynn-ie]

Github issues should be used for bugs and feature requests. Use Stack Overflow for general "how-to" questions.

Version

What package version of the SDK are you using: 4.12.0

Describe the bug

Dependabot recommends upgrading aiohttp>=3.7.4, due to a CVE security vulnerability (GHSA-v6wp-4m6f-gcjg), but this package version returns an incompatibility error when run with botbuilder modules. I've since had to revert the dependency upgrade.

When running pip install with the updated package version and botbuilder modules v4.12.0 (See https://github.com/james-flynn-ie/covid-bot/blob/main/requirements.txt for module list), it returns these errors:

ERROR: botbuilder-ai 4.12.0 has requirement aiohttp==3.6.2, but you'll have aiohttp 3.7.4 which is incompatible.
ERROR: botbuilder-integration-aiohttp 4.12.0 has requirement aiohttp==3.6.2, but you'll have aiohttp 3.7.4 which is incompatible.

To Reproduce

Steps to reproduce the behavior:

1. Update aiohttp to 3.7.4 on any Python botbuilder project requirements.txt file (see https://github.com/james-flynn-ie/covid-bot/blob/main/requirements.txt for example)
2. Run pip install -r requirements.txt
3. Observe errors in console output.

Expected behavior

Errors are not displayed that aiohttp==3.6.2 is a requirement.
Pip install successfully installs all dependencies and Bot Framework Python SDK apps run as expected.

[v-kydela]

@james-flynn-ie - Thank you for the report. Can you let us know what version of Python you're using?

@peterinnesmsft - How would you like the support team to assist with this?

[james-flynn-ie]

Thanks for your response, @v-kydela , I'm using pip 18.1

[v-kydela]

@james-flynn-ie - Thank you for that information, but I think the Python version is likely to end up being more important than the pip version. I presume you're using Python 3, but is it 3.7, 3.8, 3.9, etc.?

[james-flynn-ie]

@james-flynn-ie - Thank you for that information, but I think the Python version is likely to end up being more important than the pip version. I presume you're using Python 3, but is it 3.7, 3.8, 3.9, etc.?

Hi @v-kydela , you're correct of course. Sorry, I misread what you were asking and was kinda wondering why Pip would be important. 😊

I'm using Py 3.6 at present, as later versions throw errors due to changes in asyncio reserved keywords https://tryexceptpass.org/article/asyncio-in-37/

[v-kydela]

@james-flynn-ie - Is that 3.6.8? 3.6.9? 3.6.10?

Also, can you reproduce this problem with any of the Bot Builder samples? I just tried the echo bot sample and I can't get the requirements to install with Python 3.6.8. There are problems with the cryptography package, etc. Did you encounter any such problems?

[james-flynn-ie]

Hi @v-kydela

I'm using v3.6.8.

Yes, I have experienced some issues with authentication when running the bot locally through the emulator. I have been disabling it while testing locally, by following these steps: https://docs.microsoft.com/en-us/azure/bot-service/bot-service-troubleshoot-authentication-problems?view=azure-bot-service-4.0&tabs=python#step-1-disable-security-and-test-on-localhost
Is there something else I need to be doing here as well?

To reproduce the pip install problem, you'll need to add aiohttp==3.7.4 to the requirements.txt. Otherwise, the default v3.6.2 is automatically installed based on the botbuilder lib dependencies, so it doesn't throw the error. This is what I see when I add aiohttp==3.7.4 to the app's requirements.txt:

ERROR: Cannot install aiohttp==3.7.4 and botbuilder-ai==4.11.0 because these package versions have conflicting dependencies.

The conflict is caused by:
    The user requested aiohttp==3.7.4
    botbuilder-ai 4.11.0 depends on aiohttp==3.6.2

The aiohttp version is set in the requirements.txt files for the libs, e.g.:

botbuilder-python/libraries/botbuilder-integration-aiohttp/requirements.txt

Line 4 in 885d3d1

aiohttp==3.6.2

I can go ahead and open a pull request updating the aiohttp version to 3.7.4, but I'm not sure what your dev/test processes are for verifying module compatibility?

[cas--]

@james-flynn-ie The next release will likely fix this since #1561 relaxed the aiohttp pinning

[james-flynn-ie]

Awesome thanks for update @cas--

Did we have an idea when this is likely to be released?