Skip to content

[client-python] Loosen boto3 version constraint to fix stix-shifter compatibility (#14613)#14692

Merged
SamuelHassine merged 2 commits intomasterfrom
claude/fix-boto3-requirements-issue
Mar 2, 2026
Merged

[client-python] Loosen boto3 version constraint to fix stix-shifter compatibility (#14613)#14692
SamuelHassine merged 2 commits intomasterfrom
claude/fix-boto3-requirements-issue

Conversation

@Claude
Copy link
Contributor

@Claude Claude AI commented Mar 1, 2026
edited
Loading

The strict boto3~=1.38.27 constraint prevents pip from resolving dependencies when connectors install both pycti and stix-shifter (which depends on aiobotocore with strict botocore<1.38.28 requirements).

Changes

  • client-python/requirements.txt: Changed boto3~=1.38.27boto3>=1.38.27,<1.44
  • client-python/setup.cfg: Changed boto3~=1.38.27boto3>=1.38.27,<1.44

The wider range allows pip to select compatible boto3/botocore versions based on the full dependency graph:

  • With stix-shifter present: resolves to boto3 1.38.x (compatible with aiobotocore's botocore constraints)
  • Without stix-shifter: can use newer boto3 versions as needed

Example error before fix:

ERROR: pip's dependency resolver does not currently take into account all the packages that are installed.
aiobotocore 2.23.0 requires botocore<1.38.28,>=1.38.23, but you have botocore 1.42.56 which is incompatible.
Original prompt

This section details on the original issue you should resolve

<issue_title>[BUG] boto3 requirements is too strict and is incompatible with stix-shifter</issue_title>
<issue_description>### Environment

OpenCTI 7.260224.0
Python version 3.12.12
client version 7.260224.0-dirty (top of master branch)

Reproducible Steps

  1. Install the requirements for an openCTI connector that uses stix-shifter ie: connectors/stream/sekoia-intel
  2. Install pycti from master@opencti pip install git+https://github.com/OpenCTI-Platform/opencti.git@master#subdirectory=client-python

Actual Outcome

Error message during pip install

ERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
aiobotocore 2.23.0 requires botocore<1.38.28,>=1.38.23, but you have botocore 1.42.56 which is incompatible.
pyopenssl 25.0.0 requires cryptography<45,>=41.0.5, but you have cryptography 46.0.5 which is incompatible.
stix-shifter 8.0.2 requires antlr4-python3-runtime==4.8, but you have antlr4-python3-runtime 4.13.2 which is incompatible.
stix-shifter 8.0.2 requires regex==2023.12.25, but you have regex 2026.2.19 which is incompatible.
stix-shifter 8.0.2 requires stix2-patterns==1.3.2, but you have stix2-patterns 2.1.2 which is incompatible.

Expected Outcome

pip install without errors. This can be done by loosening the requirements on boto3, which were changed with this commit: 69e88b4.
Something like boto3>=1.38.27,<=1.43 should be ok

Add any file, screenshots, video

No response</issue_description>

Comments on the Issue (you are @claude[agent] in this section)

@SamuelHassine ## Copilot Fix Instructions

Problem: The boto3 dependency pin is too strict, causing conflicts with stix-shifter and other packages that require different versions of botocore/boto3.

Root cause: Commit 69e88b47ce254f5a9bf5459f144c09ba121824db pinned boto3 to an exact version instead of a compatible range.

Fix approach:

  1. Locate the boto3 dependency in the client-python subdirectory — check pyproject.toml, setup.py, or requirements.txt under opencti-platform/client-python/ or the root-level client-python directory.
  2. Change the boto3 version constraint from an exact pin (e.g., boto3==1.x.y) to a compatible range: boto3>=1.38.27,<1.44 (or similar range that maintains compatibility while allowing stix-shifter's botocore requirements).
  3. If there are also pins on botocore or aiobotocore, review those for similar loosening needs.

Expected change: Single dependency version constraint change in the client-python package definition. The goal is to allow pip to resolve a compatible set of boto3/botocore versions across both pycti and stix-shifter.

@copilot</comment_new>

@Claude Claude AI changed the title [WIP] Fix boto3 requirements incompatibility with stix-shifter [client-python] Loosen boto3 version constraint to fix stix-shifter compatibility Mar 1, 2026
@SamuelHassine SamuelHassine changed the title [client-python] Loosen boto3 version constraint to fix stix-shifter compatibility [client-python] Loosen boto3 version constraint to fix stix-shifter compatibility (#14613) Mar 1, 2026
@SamuelHassine SamuelHassine marked this pull request as ready for review March 1, 2026 06:19
@github-actions
Copy link

github-actions bot commented Mar 1, 2026

Thank you for your contribution, but we need you to sign your commits. Please see https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits

@SamuelHassine SamuelHassine requested a review from jabesq March 1, 2026 06:20
@codecov
Copy link

codecov bot commented Mar 1, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 32.36%. Comparing base (9ab8525) to head (3a2b478).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #14692   +/-   ##
=======================================
  Coverage   32.36%   32.36%           
=======================================
  Files        3097     3097           
  Lines      210978   210978           
  Branches    38230    38230           
=======================================
  Hits        68280    68280           
  Misses     142698   142698
Flag Coverage Δ
opencti-client-python 45.48% <ø> (ø)
opencti-front 2.83% <ø> (ø)
opencti-graphql 67.73% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

jabesq
jabesq approved these changes Mar 2, 2026
View reviewed changes
Copy link
Member

@jabesq jabesq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍
Please sign all your commits using the following commands while on the claude/fix-boto3-requirements-issue branch, before merging it into master:
git rebase origin/master -x "git commit -S --amend --no-edit"

Claude AI and others added 2 commits March 2, 2026 06:40
@Claude @SamuelHassine
Initial plan
7437ea1
@Claude @SamuelHassine
[client-python] Loosen boto3 version constraint to fix stix-shifter c…
3a2b478 
…ompatibility

Co-authored-by: SamuelHassine <1334279+SamuelHassine@users.noreply.github.com>
@SamuelHassine SamuelHassine force-pushed the claude/fix-boto3-requirements-issue branch from 4dfe0c9 to 3a2b478 Compare March 2, 2026 11:40
@github-actions
Copy link

github-actions bot commented Mar 2, 2026

Please attach at least one issue to your Pull Request

1 similar comment
@github-actions
Copy link

github-actions bot commented Mar 2, 2026

Please attach at least one issue to your Pull Request

@SamuelHassine SamuelHassine merged commit 1f84b88 into master Mar 2, 2026
35 of 39 checks passed
@SamuelHassine SamuelHassine deleted the claude/fix-boto3-requirements-issue branch March 2, 2026 11:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jabesq jabesq jabesq approved these changes

Assignees

@SamuelHassine SamuelHassine

@Claude Claude

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] boto3 requirements is too strict and is incompatible with stix-shifter

3 participants

@Claude @jabesq @SamuelHassine