Skip to content

Migrate craft CLI to cleo 2 (last pip-audit finding)#25

Merged
eaguad1337 merged 1 commit into
5.0from
fix/cleo-2
Jun 7, 2026
Merged

Migrate craft CLI to cleo 2 (last pip-audit finding)#25
eaguad1337 merged 1 commit into
5.0from
fix/cleo-2

Conversation

@eaguad1337

@eaguad1337 eaguad1337 commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

Migrates the craft CLI from cleo 0.8.1 to cleo 2.1 — the final pip-audit finding (cleo ≤ 0.8 is vulnerable to CVE-2022-42966, ReDoS, fixed in 2.0).

Closes #9

Approach

Commands keep declaring their signature in the historical docstring block format. The base masonite.commands.Command now parses that format into a cleo 2 definition (cleo.helpers.argument/option), so none of the 40+ command classes changed — and package authors' existing commands (and the make:command stub) stay valid.

  • cleo 0.8 semantics preserved for bare optional-value options (craft preset --list stays truthy)
  • CommandCapsule uses command.name and cleo 2's Application.add; swap() keeps the internal registry consistent
  • TestCommand accumulates fetch_output()/fetch_error() (cleo 2 drains the buffer on fetch, breaking consecutive assertOutputContains)
  • Kernel/Entry/test fixtures moved to the cleo 2 import paths
  • Drops the cleo 0.8 DeprecationWarning filter (craft output is warning-free natively now)
  • Requires masonite-framework-orm ≥ 3.1 (its CLI migrated in Migrate CLI to cleo 2 (fixes CVE-2022-42966 exposure) orm#1, released as v3.1.0)
  • Also includes: timezone validation rule moved from undeclared pytz (which arrived transitively via vonage 3) to stdlib zoneinfo

Validation

  • 656 passed (-m "not integrations") under cleo 2.1 + masonite-framework-orm 3.1.0
  • Manual E2E: craft list (all framework + ORM commands registered), per-command --help (names/shortcuts/defaults correct), craft preset --list, craft serve (HTTP 200, styled output intact)
  • ORM side validated independently: 1029 tests + CI green on Python 3.8–3.13 with live MySQL/Postgres migrations
  • pip-audit after this PR: zero findings

feat: migrate the craft CLI to cleo 2
a3055a6 
cleo 0.8.1 (2020) is vulnerable to CVE-2022-42966 (ReDoS) — the fix
lives in cleo 2 — and was the last remaining pip-audit finding.

Commands keep declaring their signature in the docstring block format:
the base masonite.commands.Command now parses it into a cleo 2
definition, so none of the 40+ command classes changed.

- cleo 0.8 semantics preserved for bare optional-value options
  (craft preset --list stays truthy)
- CommandCapsule uses command.name and cleo 2's Application.add;
  swap() updates the internal registry consistently
- TestCommand accumulates fetch_output()/fetch_error() since cleo 2
  drains the buffer on fetch (multiple assertOutputContains calls)
- Kernel/Entry/test fixtures updated to cleo 2 import paths
- requires masonite-framework-orm>=3.1 (its CLI migrated in
  masonitedev/orm#1) and drops the cleo 0.8 DeprecationWarning filter

Fixes #9
@eaguad1337 eaguad1337 merged commit 601bf6d into 5.0 Jun 7, 2026
17 of 20 checks passed
@eaguad1337 eaguad1337 deleted the fix/cleo-2 branch June 7, 2026 04:28
@eaguad1337 eaguad1337 mentioned this pull request Jun 8, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

deps: cleo 0.8.1 has a ReDoS CVE; pin blocks the fix and is 3 majors behind

1 participant

@eaguad1337