Security finding: dropbox-sdk-python includes vulnerable ply dependency #524
Description
Describe the bug
Our security scans have identified a vulnerability in a transitive dependency used by dropbox-sdk-python. The issue originates from the stone package, which depends on the ply library. The version of ply referenced has a reported security vulnerability. Although this dependency is not directly used at runtime in our implementation, it is still flagged in compliance and SCA checks.
To Reproduce
- Install
dropbox-sdk-pythonin a Python environment - Run a Software Composition Analysis (SCA) or dependency vulnerability scan
- Observe that
stoneis included as a dependency - Observe that
stonepulls inply - The scanner reports a known vulnerability in
ply
Expected Behavior
The SDK should not depend on packages with known vulnerabilities, especially when those dependencies are not required at runtime. Either the vulnerable dependency should be removed, replaced, or upgraded to a non-vulnerable version.
Actual Behavior
The current dependency chain includes stone → ply, and the ply version being pulled in is flagged as vulnerable. This results in security findings in automated scans, preventing us from continuing to use the SDK under our security policies.
Versions
- Dropbox SDK version: (v12.0.2)
- Python version: (e.g., Python 3.11)
- Platform: Linux
Additional context
Our understanding is that ply is only used by the Stone CLI/code generation flow and not required for runtime usage of the Dropbox SDK. However, since it is included as an install-time dependency, it is still flagged by security tools.
As a precaution, we have temporarily disabled Dropbox integration in our platform. We would appreciate guidance on whether a fix, dependency update, or removal is planned in a future SDK release.