What is the relationship between the cpython std lib and the ironPython std lib

[mjkkirschner]

Hello

The Cpython std lib for python 3.6 gets flagged in various security scanners for many vulnerabilities, are these reported vulnerabilities generally applicable to the std lib that comes with ironPython3?

I'm looking for a bit more insight into the difference between the libraries. Why does ironPython require a separate standard lib at all for example?

[slozier]

It's hard to say whether the vulnerabilities are generally applicable to the std lib that comes with IronPython 3. The are basically two parts to the std lib - the Python modules (.py files) and the C modules (DLLs). IronPython will have the same vulnerabilities as CPython if those vulnerabilities appear within the Python implementations (for example CVE-2022-0391), but will not be affected by CPython implementation vulnerabilities (for example CVE-2022-25315 which affected the expat library used by CPython).

IronPython 3.4.1 is based off the Python 3.4.10 std library. The differences between the libraries are mostly as follows:

• supported C modules have been re-implemented in C# and so the only commonality with CPython is the api surface
• backport of Python features (for example the typing module is included with the IronPython 3.4 library even though it was only added in Python 3.5)
• backport of Python CVE fixes - typically prompted by a community PR
• .NET interop changes - these are minor changes to make the standard library play nice with .NET
• workarounds for bugs in the IronPython implementation

It's possible that IronPython would work with an unmodified version of the std lib, but it's not officially supported. Note that you must use a lib from a matching minor version of Python.