Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CT-2859] [Feature] dbt-postgres should allow patch versions of dbt-core #8185

Closed
3 tasks done
lukehsiao opened this issue Jul 21, 2023 · 3 comments
Closed
3 tasks done

[CT-2859] [Feature] dbt-postgres should allow patch versions of dbt-core #8185

lukehsiao opened this issue Jul 21, 2023 · 3 comments
Labels
enhancement New feature or request

Comments

@lukehsiao
Copy link

lukehsiao commented Jul 21, 2023
edited
Loading

Is this your first time submitting a feature request?

  • I have read the expectations for open source contributors
  • I have searched the existing issues, and I could not find an existing issue for this feature
  • I am requesting a straightforward extension of existing dbt functionality, rather than a Big Idea better suited to a discussion

Describe the feature

v1.5.0 of dbt-postgres will pin specifically to v1.5.0 of dbt-core:

dbt-core/plugins/postgres/setup.py

Line 72 in ff5cb7b

"dbt-core=={}".format(package_version),

Whereas all the other plugings (e.g., dbt-redshift, dbt-bigquery, etc) allow patch versions (i.e., >=1.5.0,<1.6.0).

https://github.com/dbt-labs/dbt-bigquery/blob/1f80a200a127a2a107be6cb92d2de130f8907ea9/setup.py#L38-L77

This is unfortunate because some patch releases like 1.5.3 include fixes for security vulnerabilities: https://github.com/dbt-labs/dbt-core/releases/tag/v1.5.3, #7515

Currently, if a user also uses dbt-postgres in their project, despite the new dbt-core release, we cannot get the new patch.

Describe alternatives you've considered

No alternatives that I can see.

Who will this benefit?

All users of dbt-core who want to update to a non-vulnerable sqlparse version and are also using dbt-postgres.

Are you interested in contributing this feature?

No response

Anything else?

No response
@lukehsiao lukehsiao added bug Something isn't working triage labels Jul 21, 2023
@github-actions github-actions bot changed the title [Bug] dbt-postgres pins to a specific version of dbt-core only [CT-2859] [Bug] dbt-postgres pins to a specific version of dbt-core only Jul 21, 2023
@lukehsiao lukehsiao changed the title [CT-2859] [Bug] dbt-postgres pins to a specific version of dbt-core only [CT-2859] [Feature] dbt-postgres should allow patch versions of dbt-core Jul 21, 2023
@lukehsiao
Copy link
Author

Apologies, should've been a feature, not a bug. I am unable to edit the label.

@dbeatty10 dbeatty10 added enhancement New feature or request and removed bug Something isn't working labels Jul 25, 2023
@lukehsiao
Copy link
Author

This is blocking users from being able to resolve this moderate security vulnerability: GHSA-rrm6-wvj7-cwh2

@lukehsiao
Copy link
Author

Upon further investigation, this is totally just my user error. While it is still true that the other plugins have more relaxed version requirements, this is fine because it appears dbt-postgres releases in lockstep (1.5.3 supports 1.5.3 of dbt-core). Meaning this is not an issue.

@jtcohen6 jtcohen6 removed the triage label Aug 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lukehsiao @jtcohen6 @dbeatty10