Migrate CLI to cleo 2 (fixes CVE-2022-42966 exposure)#1
Merged
Conversation
added 3 commits
June 7, 2026 00:03
cleo 0.8.1 (2020) is vulnerable to CVE-2022-42966 (ReDoS) and three majors behind. Commands keep declaring their signature in the docstring block format: the base Command now parses it into a cleo 2 definition (arguments/options helpers) instead of relying on cleo 0.8's removed docstring parsing. - CanOverrideConfig and CanOverrideOptionsDefault are folded into the base Command: the global --config/-C option is added to the definition, and option defaults can still be overridden per instance (SomeCommand(directory=...)) - cleo 0.8 semantics preserved for bare optional-value options (--show reads as truthy) - Entry/CommandTester imports updated to cleo 2 paths - cleo>=2.1,<3; version bumped to 3.1.0 Full suite: 1029 passed (the one failing postgres test requires the CI database service and fails identically on cleo 0.8).
eaguad1337
pushed a commit
to masonitedev/masonite
that referenced
this pull request
Jun 7, 2026
cleo 0.8.1 (2020) is vulnerable to CVE-2022-42966 (ReDoS) — the fix lives in cleo 2 — and was the last remaining pip-audit finding. Commands keep declaring their signature in the docstring block format: the base masonite.commands.Command now parses it into a cleo 2 definition, so none of the 40+ command classes changed. - cleo 0.8 semantics preserved for bare optional-value options (craft preset --list stays truthy) - CommandCapsule uses command.name and cleo 2's Application.add; swap() updates the internal registry consistently - TestCommand accumulates fetch_output()/fetch_error() since cleo 2 drains the buffer on fetch (multiple assertOutputContains calls) - Kernel/Entry/test fixtures updated to cleo 2 import paths - requires masonite-framework-orm>=3.1 (its CLI migrated in masonitedev/orm#1) and drops the cleo 0.8 DeprecationWarning filter Fixes #9
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Migrates the ORM CLI from cleo 0.8.1 to cleo 2.1, unblocking the fix for CVE-2022-42966 (ReDoS in cleo ≤ 0.8) — the last remaining
pip-auditfinding across the masonitedev Python repos.Approach
Commands keep declaring their signature in the historical docstring block format. The base
Commandnow parses that format into a cleo 2 definition (cleo.helpers.argument/option), so none of the 13 command classes changed.CanOverrideConfig+CanOverrideOptionsDefaultfolded into the baseCommand: the global--config/-Coption lands on every command, and per-instance default overrides (MigrateCommand(directory=...), used by the framework'sInternalORMProvider) keep workingshell -c dev -s→--showis truthy)Entry/CommandTesterimports updated to the cleo 2 pathscleo>=2.1,<3, version → 3.1.0Validation
masonite-orm listand per-command--helpverified manually — names, descriptions, shortcuts and defaults all parse correctlyflake8with the pyproject config) cleanRequired by masonitedev/masonite#9 — the framework migration lands after this is released to PyPI.