Summary:

The code changes in the provided setup.py file for the jans-pycloudlib Python package are primarily focused on addressing the dependency on the ldap3 library. The maintainers have made a conscious decision to keep the ldap3 library, as it is still used in critical parts of the codebase, such as the ldap_encode hashed function and the doc_id_from_dn parse_dn function. This decision is based on the fact that vendoring these functions would require additional test cases, which can be avoided by reusing the original functions from the ldap3 library.

Additionally, the package is specifying specific version requirements for its dependencies, which helps to ensure that the application is using known-good versions of the libraries and mitigates the risk of introducing vulnerabilities due to outdated dependencies. The package is also addressing a specific vulnerability (CVE-2022-36087) by updating the dependency on the oauthlib library to a version that resolves the issue. Overall, the code changes in the setup.py file demonstrate a proactive approach to dependency management and security, which is essential for maintaining the overall security posture of the application.

Files Changed:

• jans-pycloudlib/setup.py: The changes in this file are focused on managing the dependencies of the jans-pycloudlib Python package. The key changes are:
  • The ldap3 library is being retained, as it is still used in critical parts of the codebase, such as the ldap_encode hashed function and the doc_id_from_dn parse_dn function.
  • The package is specifying specific version requirements for its dependencies, which helps to ensure that the application is using known-good versions of the libraries and mitigates the risk of introducing vulnerabilities due to outdated dependencies.
  • The package is addressing a specific vulnerability (CVE-2022-36087) by updating the dependency on the oauthlib library to a version that resolves the issue.