Remove deprecated Python 2 dependencies (pyopenssl, pyasn1, ndg-httpsclient) with known CVEs #252
Description
Summary
The pusher package currently ships with three dependencies that exist solely for Python 2 SNI (Server Name Indication) support: pyopenssl, pyasn1, and ndg-httpsclient. These dependencies have known security vulnerabilities:
| CVE | Library | Current | Fixed |
|---|---|---|---|
| CVE-2026-27459 | pyopenssl | 25.3.0 | 26.0.0 |
| CVE-2026-30922 | pyasn1 | 0.6.2 | 0.6.3 |
Why these dependencies exist
These were added for Python 2, which lacked native SNI support in its ssl module. The workaround was:
pyopenssl— provided SNI-capable SSL via OpenSSL bindingsndg-httpsclient— patchedurllib3to use pyopensslpyasn1— ASN.1 parsing required by both pyopenssl and ndg-httpsclient
In the codebase, this is visible in pusher/requests.py, where the pyopenssl injection is gated behind sys.version_info < (3,) — meaning it was never executed on Python 3.
Why we can't just upgrade to fixed versions
Simply pinning to the fixed versions (pyopenssl>=26.0.0, pyasn1>=0.6.3) would not restore Python 2 support because:
pyopenssldropped Python 2 support years ago (around v22.0)pyasn1also no longer supports Python 2ndg-httpsclientis unmaintained
So there is no version combination that fixes these CVEs while maintaining Python 2 compatibility.
Why removing Python 2 support is the right approach
- Python 2 reached end-of-life on January 1, 2020 — over 6 years ago
- The project's CI already targets Python 3.10–3.12 only
- The Python 2 code paths (e.g., pyopenssl injection) are dead code on Python 3
- These dependencies add unnecessary attack surface for zero functional benefit on Python 3, as Python 3's stdlib
sslmodule handles SNI natively
Changes
- Remove
pyopenssl,ndg-httpsclient, andpyasn1frominstall_requiresinsetup.py - Remove the dead Python 2 pyopenssl injection code in
pusher/requests.py - Update
setup.pyclassifiers andREADME.mdto reflect Python 3 only support