Skip to content

Remove restrictive cbor2 pin #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
peppelinux merged 3 commits into from
Jan 30, 2026
Merged

Remove restrictive cbor2 pin #25

peppelinux merged 3 commits into from
Jan 30, 2026

Conversation

@jruizaranguren
Copy link
Contributor

@jruizaranguren jruizaranguren commented Aug 25, 2025
edited
Loading

This merge request:

  • Removes the dependency constraint cbor2>=5.4.0,<5.5.0, which can cause dependency‑resolution conflicts and block downstream projects from receiving security updates.
  • Updates cbor2 to the latest release. This surfaced a change in date/time handling that affects pyMDOC-CBOR.

Impact:

  • Only one test failed after the update: pymdoccbor/tests/test_08_mdoc_cbor.py.
  • A targeted workaround has been applied so the date assertion passes.

Next steps:

  • Release a new version of the library without cbor2 pin
  • Perform a thorough review of date/time handling in both code and tests, considering the behavior described in the cbor2 documentation: https://cbor2.readthedocs.io/en/latest/usage.html#date-time-handling
    • Decide on a canonical representation (naive vs. timezone‑aware, UTC normalization).
    • Define parsing/serialization policy and CBOR tag handling.
    • Add tests that cover timezones, DST, and round‑trip encoding/decoding.

peppelinux
peppelinux requested changes Sep 11, 2025
View reviewed changes
@peppelinux
Copy link
Member

peppelinux commented Sep 11, 2025

we may have security updates in 5.4.x and breaking changes in 5.5.0, this is why we decided to specify the version of a dependency using a known minor release

This surfaced a change in date/time handling that affects pyMDOC-CBOR

therefore we should move our deps up to cbor2 55., and removing support for 5.4

we wil lcontinue the review, I am interested in having in this current PR also these ones:

  • Decide on a canonical representation (naive vs. timezone‑aware, UTC normalization).
  • Define parsing/serialization policy and CBOR tag handling.
  • Add tests that cover timezones, DST, and round‑trip encoding/decoding.

I'd wait for any of your proposal for the impl of the previous tasks, therefore I will engage @PascalDR in the final review

@peppelinux peppelinux merged commit 1346334 into IdentityPython:main Jan 30, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@peppelinux peppelinux peppelinux approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jruizaranguren @peppelinux