Why does celery pin 4.4.0 as the upper limit of redis?

[baseplate-admin]

Hi Thanks for creating Celery. Its one of the best python queue management solution.

celery/requirements/extras/redis.txt

Line 1 in 4bcac7a

redis>=4.3.6,<4.4.0

so it seems that celery pins 4.4.0 as the upper limit.

Which raises this CVE

is there any particular reason for this upper pin?

[open-collective-bot]

Hey @baseplate-admin 👋,
Thank you for opening an issue. We will get back to you as soon as we can.
Also, check out our Open Collective and consider backing us - every little helps!

We also offer priority support for our sponsors.
If you require immediate assistance please consider sponsoring us.

[auvipy]

1. this is a false positive CVE as celery use python 3.7+
2. upgrading version cause atleast one test to fail iin kombu.

[sr-verde]

Can you please tell me why Python 3.7+ should fix this problem? I haven't found a reason.

[auvipy]

I learnt that from redis-py maintainers

[sr-verde]

Thanks for your fast answer but that sounds like "trust me bro". Is there any public source for this information? 😬

[auvipy]

redis/redis-py#2672 and I am open to contribution to upgrade the version! trust me bro! :D

[eukreign]

This constraint makes celery[redis] unuseable/conflict with the latest django channels-redis:

The conflict is caused by:
    celery[redis] 5.3.0b2 depends on redis<4.4.0 and >=4.2.2; extra == "redis"
    channels-redis 4.1.0 depends on redis>=4.5.3

django/channels_redis@dbf4f30

[auvipy]

contributions are welcome

[auvipy]

its fixed in main branch now