Skip to content

Replace doi2bib with a util function to remove future package dependency #770

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Replace doi2bib with a util function to remove future package dependency #770

wants to merge 1 commit into from

Conversation

jrlagrone
Copy link
Contributor

@jrlagrone jrlagrone commented Aug 19, 2025
edited
Loading

Replace the functionality of the git_bib function from doi2bib.

This is mainly to address CVE-2025-50817 -- doi2bib uses the future package and doi2bib appears to no longer be actively maintained. It appears to me that the functionality being used in ColdFront is a simple url request to the crossref.org rest api so just re-implement that.

Note: the following have not been updated (but should be).

  • the tests in publication will no longer work as written (I didn't fully comprehend what it was actually doing, but I can circle back when I have more time available and try to update them)
  • The packages doi2bib and future should no longer be dependencies in the uv file. I'm still running an older version using setup.py / requirements.txt, so I didn't test. My assumption is that is a trivial change.

@Eric-Butcher
Copy link
Contributor

The boolean return value is never actually used anywhere this is called, so overall it probably makes since to change the API of this function. However the bibtex library seems to be going from v1 to v2 and a lot of the view code is going to have to be refactored anyways as some point. So I argue that it should all just be left for another day.

This is fine for now.

@Eric-Butcher
Copy link
Contributor

@jrlagrone thanks for catching this!

@Eric-Butcher
Copy link
Contributor

@jrlagrone Make sure to squash and sign the commit when you are ready for his pr to be merged.

@jrlagrone
Copy link
Contributor Author

@Eric-Butcher that should be a single signed commit now.

It did change the uv file more than I expected, but it looks like that's mostly upload-time fields so I assume that's not really an issue. I'm pretty new to UV though, so it might be good to look at that closely.

But yes on both fronts -- I think being able to remove 2 dependencies with ~10 lines of code is good, but also that it should probably be refactored (more resilient, staying up to date with the bibtex libs as you mentioned, actually following the best practices from crossref https://api.crossref.org/swagger-ui/index.html#best-practice, etc.)

ANekhai
ANekhai approved these changes Aug 28, 2025
View reviewed changes
Copy link
Collaborator

@ANekhai ANekhai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice job removing that stale dependency with a simple util function, looks good to merge to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@ANekhai ANekhai ANekhai approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jrlagrone @Eric-Butcher @ANekhai