Release Python SDK v17.1.0 #886
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add boto3>=1.20.0 as explicit dependency (required for IMDSFetcher in AWS storage provider) - Raise minimum Python version from 3.6 to 3.9 (aligns with Core SDK v17.1.0) - Bump storage version to 1.0.3 This fixes ImportError when storage_aws_secret.py tries to import IMDSFetcher from botocore.utils, which was introduced in botocore 1.13.25.
Records in flat response.records[] array with folderUid now use folder key for decryption instead of app key. - Add folderUid detection in core.py - Update mock.py to support folder_uid - Add test coverage in record_key_test.py
…ecord-key-decryption KSM-747: Fix record key decryption for shared folder records
* KSM-628 Added GraphSync links * Adjusted requestLinks in payload
Deduplicate records by UID before notation resolution. When a KSM application has access to both an original record and its shortcut, the same UID appears multiple times but should not be treated as ambiguous. - Add deduplication logic in both notation methods (get_notation and try_get_notation_results) - Preserve genuine ambiguity check for different records with same title - Add test case for duplicate UID handling in notation_test.py - All 6 notation tests pass (5 existing + 1 new)
- Revert python_requires to >=3.6 (was >=3.9) - Add conditional urllib3 requirements: - Python 3.10+: urllib3>=2.6.0 (CVE fixes) - Python 3.6-3.9: urllib3>=1.26.0,<1.27 (boto3 compatible) - Add deprecation notice for Python <3.10 (removal in v17.2.0) - Add Python 3.6, 3.7, 3.8 back to CI test matrix - Resolves urllib3/boto3 dependency conflict on Python 3.9
Contributor
Author
|
The ansible tests(https://github.com/Keeper-Security/secrets-manager/actions/runs/21037087361/job/60487919983) failing are an issue in ansible repo and will be fixed in the next release. They are not due to an issue with this PR. |
…Sync links - Update transmission key test to validate all 18 keys (was only 1-6) - Add GraphSync links test to verify links field structure - Add links support to mock.Record class - Update README to remove premature deprecation notice - 51 tests now pass (was 50)
…on-detection KSM-749: fix client version detection from stale .dist-info metadata
KSM-747 (record key decryption for shared folders) will be released in a separate coordinated release across all SDKs. Changes removed: - Removed folder key lookup logic from core.py - Removed folder_uid support from mock.py - Removed record_key_test.py test file - Removed KSM-747 entry from changelog
stas-schaller
added a commit
that referenced
this pull request
Jan 21, 2026
Revert minimum Python version from 3.9 back to 3.7 to give clients time to migrate. Python SDK v17.1.0 is researching deprecation timeline for EOL Python versions with migration guidance coming soon. This aligns CLI deprecation timeline with the Python SDK v17.1.0 approach of providing advance notice before removing support. Related: Python SDK v17.1.0 release (PR #886)
…to 3.9" This reverts commit 1a0de2b.
…dency" This reverts commit 1cc19ab.
KSM-763: fix file upload/download SSL and proxy settings Pass verify_ssl_certs and proxy_url to requests.post() in __upload_file_function and requests.get() in KeeperFile.get_file_data(). Previously these parameters were ignored, causing SSL verification errors when using proxies with verify_ssl_certs=False. Tested in vitro with mitmproxy - both file upload and download work correctly through proxy with SSL verification disabled.
Contributor
Author
Note: CLI Test FailuresThe test-cli failures are expected and will be fixed in CLI v1.3.0 release. Root Cause: KSM-763 added Failed Tests:
Fix Location: CLI release branch The Python SDK v17.1.0 functionality is fully validated - all 57 core SDK tests pass. The CLI test failures are isolated to test infrastructure, not actual functionality. |
Contributor
Author
Update: CLI Test Fix PushedThe CLI test failures have been fixed in CLI v1.3.0 release branch. Commit: d991cd5 - "fix(cli): update test mocks to accept verify/proxy kwargs from KSM-763" Changes: Updated Tests: Both The CLI v1.3.0 release will include this fix and will be compatible with Python SDK v17.1.0. |
Core SDK changes: - Exclude cryptography 44.0.0 (CVE-2026-23949) via !=44.0.0 constraint - Maintains Python 3.6 support (uses cryptography 40.x on 3.6, 46.0.3 on 3.7+) Build/SBOM workflow changes: - Pin wheel>=0.46.3 (CVE-2026-24049) in SBOM generation workflow - Pin wheel>=0.46.3 in SDK and Helper publish workflows - Ensures Manifest Cyber scans show patched versions Both CVEs are now mitigated without breaking Python 3.6 compatibility.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Release Python SDK v17.1.0 with security dependency update, Gov Cloud support, storage package boto3 fix, notation shortcut fix, GraphSync links support, secure config file permissions, client version detection fix, proxy SSL settings fix, improved error messages for malformed configs, and improved test coverage.
Changes
Added
keeper_public_keysdictionary inkeeper_globals.pylinksfield with related record referencesrecordUid,data, andpathattributes for linked recordsSecurity
KSM-760: Fixed CVE-2026-23949 (jaraco.context path traversal) in SBOM generation workflow
Added version-specific urllib3 dependency to address CVE-2025-66418 and CVE-2025-66471 (HIGH severity)
urllib3>=2.6.0(latest security fixes)urllib3>=1.26.0,<1.27(compatible with boto3/AWS storage, no known CVEs)KSM-695: Fixed file permissions for client-config.json
os.open()with secure mode instead of regularopen()Fixed
verify_ssl_certs=False, file upload and download operations failed with SSL certificate verification errors. Theverify_ssl_certsandproxy_urlsettings were not being passed to the underlyingrequestslibrary calls.__upload_file_function()was missingverifyparameter inrequests.post()KeeperFile.get_file_data()was missing bothverifyandproxiesparameters inrequests.get()KeeperFile.save_file()didn't pass parameters through toget_file_data()verify_ssl_certsparameter to__upload_file_function()and pass torequests.post()verify_ssl_certsandproxy_urlparameters toKeeperFile.get_file_data()andsave_file()SecretsManagerinstancetests/proxy_test.pytest_verify_ssl_certs_passed_to_upload_file- Verifies upload respects SSL settingstest_verify_ssl_certs_passed_to_file_download- Verifies download respects SSL settingsbinascii.Error: Incorrect paddingorValueError: Could not deserialize key database64_to_bytes()now catchesbinascii.Errorand raisesKeeperErrorwith contextder_base64_private_key_to_private_key()wraps decoding errors with configuration hintsextract_public_key_bytes()provides clear guidance when private key is invalidtests/config_error_test.pywith 7 comprehensive tests (125 lines)"Failed to decode base64 data: Incorrect padding. This may indicate a malformed or corrupted value in your configuration. Please verify your configuration file is valid and has not been truncated."importlib_metadata.version()which reads filesystem metadata. During package upgrades, stale.dist-infodirectories from previous installations could remain, causing SDK to report incorrect versions and triggering "invalid client version id" backend authentication failures_version.pykeeper_secrets_manager_core/_version.pywith__version__attributeget_client_version()to prioritize package__version__overimportlib_metadatasetup.pyto import version dynamically (eliminates manual sync across files)__version__→importlib_metadata→ hardcoded defaultValueError: Notation error - found multiple records with same UIDwhen KSM app has access to both original record and its shortcutImportError: cannot import name 'IMDSFetcher' from 'botocore.utils'Changed
Tests
verify_ssl_certsandproxy_urlparametersverify_ssl_certsandproxy_urlparameters__version__pathimportlib_metadata__version__takes precedence over staleimportlib_metadata(the actual KSM-749 bug)Testing
pip show urllib3should show 2.6.0+pip show urllib3should show 1.26.xpytest(57 tests pass)pip show urllib3andpip show boto3pip install keeper-secrets-manager-storagepytest tests/proxy_test.py -vverify_ssl_certs=Falseverify_ssl_certs=Falsepython -c "import keeper_secrets_manager_core; print(keeper_secrets_manager_core.__version__)"17.1.0pytest tests/smoke_test.py::SmokeTest::test_client_version -vpytest tests/config_error_test.py -vlinksfield with correct structureUpgrade Path
No immediate action required, but users should plan to upgrade Python before v17.2.0 release:
python --versionsudo apt install python3.10brew install [email protected]Known CI Issue (Not Related to This Release)
test-ansible failures on all Python versions are NOT caused by Python SDK changes.
Root Cause: Test isolation bug in
integration/keeper_secrets_manager_ansible/tests/keeper_ansible_test.pytest_ansible_cli_configsetsPSModulePathenvironment variable but never cleans it upAssertionError: Regex didn't match: 'set ANSIBLE_ACTION_PLUGINS' not foundset ANSIBLE_ACTION_PLUGINS(Windows CMD syntax)$env:ANSIBLE_ACTION_PLUGINS(PowerShell syntax, due to PSModulePath pollution)Evidence This Is Not a Python SDK Issue:
Fix Location: Will be addressed in Ansible Integration v1.2.7 release (PR #904)
Verification: Python SDK v17.1.0 functionality is fully validated by passing test-python and test-cli suites.
Related Issues
Note on Issue #878 (urllib3 Security)
Full fix applied: Python 3.10+ users get urllib3>=2.6.0 (CVE-free)
Partial fix: Python 3.6-3.9 users get urllib3 1.26.x due to boto3/botocore compatibility constraints
Note
KSM-747 (record key decryption for shared folders) was initially included but has been removed in commit 6e921dd. This fix will be released in a separate coordinated release across all SDKs.