Remove the dependency on PyNaCl due to CVE-2025-69277

sbp · sbp · commit 85bc17791b1f · 2026-01-16T17:39:06.000Z
diff --git a/atr/log.py b/atr/log.py
@@ -133,26 +133,26 @@ def python_repr(object_name: str) -> str:
     return f"<{object_name}>"
 
 
-def secret(msg: str, data: bytes) -> None:
-    import base64
-
-    import nacl.encoding as encoding
-    import nacl.public as public
-
-    import atr.config as config
-
-    conf = config.get()
-    public_key_b64 = conf.LOG_PUBLIC_KEY
-    if public_key_b64 is None:
-        raise ValueError("LOG_PUBLIC_KEY is not set")
-
-    recipient_pk = public.PublicKey(
-        public_key_b64.encode("ascii"),
-        encoder=encoding.Base64Encoder,
-    )
-    ciphertext = public.SealedBox(recipient_pk).encrypt(data)
-    encoded_ciphertext = base64.b64encode(ciphertext).decode("ascii")
-    _event(logging.INFO, f"{msg} {encoded_ciphertext}")
+# def secret(msg: str, data: bytes) -> None:
+#     import base64
+
+#     import nacl.encoding as encoding
+#     import nacl.public as public
+
+#     import atr.config as config
+
+#     conf = config.get()
+#     public_key_b64 = conf.LOG_PUBLIC_KEY
+#     if public_key_b64 is None:
+#         raise ValueError("LOG_PUBLIC_KEY is not set")
+
+#     recipient_pk = public.PublicKey(
+#         public_key_b64.encode("ascii"),
+#         encoder=encoding.Base64Encoder,
+#     )
+#     ciphertext = public.SealedBox(recipient_pk).encrypt(data)
+#     encoded_ciphertext = base64.b64encode(ciphertext).decode("ascii")
+#     _event(logging.INFO, f"{msg} {encoded_ciphertext}")
 
 
 def warning(msg: str) -> None:
diff --git a/pyproject.toml b/pyproject.toml
@@ -39,7 +39,7 @@ dependencies = [
   "puremagic>=1.30",
   "pydantic-xml (>=2.17.2,<3.0.0)",
   "pyjwt (>=2.10.1,<3.0.0)",
-  "pynacl>=1.5.0",
+  # "pynacl>=1.5.0",
   "python-decouple~=3.8",
   "python-gnupg~=0.5",
   "quart-schema[pydantic]~=0.21",
diff --git a/uv.lock b/uv.lock
