mirror of https://github.com/zulip/zulip.git
06c2161f7e
For a long time, we've been only doing the zxcvbn password strength checks on the browser, which is helpful, but means users could through hackery (or a bug in the frontend validation code) manage to set a too-weak password. We fix this by running our password strength validation on the backend as well, using python-zxcvbn. In theory, a bug in python-zxcvbn could result in it producing a different opinion than the frontend version; if so, it'd be a pretty bad bug in the library, and hopefully we'd hear about it from users, report upstream, and get it fixed that way. Alternatively, we can switch to shelling out to node like we do for KaTeX. Fixes #6880. |
||
|---|---|---|
| .. | ||
| README.md | ||
| common.in | ||
| dev.in | ||
| dev.txt | ||
| docs.in | ||
| docs.txt | ||
| mypy.in | ||
| mypy.txt | ||
| pip.in | ||
| pip.txt | ||
| prod.in | ||
| prod.txt | ||
| thumbor-dev.in | ||
| thumbor-dev.txt | ||
| thumbor.in | ||
| thumbor.txt | ||
README.md
The dependency graph of the requirements is as follows:
dev prod
+ + +
| +->common<-+
v
mypy,docs
Of the files, only dev, prod, and mypy have been used in the install scripts directly. The rest are implicit dependencies.
common and dev are locked.
Steps to update a lock file, e.g. to update ipython from 5.3.0 to 6.0.0 in
common.in and propagate it to dev.txt and prod.txt:
0. Replace ipython==5.4.1 with ipython==6.0.0 in common.in.
- Run
./tools/update-locked-requirements. - Increase
PROVISION_VERSIONinversion.py. - Run
./tools/provisionto install the new deps and test them. - Commit your changes.