fix(sdk): make okta SDK an optional extra to avoid downstream resolution conflicts

2026-05-13 15:50:55 +00:00 · 2026-05-13 16:54:50 +02:00
20 changed files with 66 additions and 68 deletions
@@ -26,6 +26,10 @@ inputs:
    description: 'Whether to enable Poetry dependency caching via actions/setup-python'
    required: false
    default: 'true'
+  extras:
+    description: 'Comma-separated list of project extras to install (e.g. "okta"). Pass "all" to install every extra.'
+    required: false
+    default: ''

 runs:
  using: 'composite'
@@ -87,8 +91,20 @@ runs:
      if: inputs.install-dependencies == 'true'
      shell: bash
      working-directory: ${{ inputs.working-directory }}
+      env:
+        INPUTS_EXTRAS: ${{ inputs.extras }}
      run: |
-        poetry install --no-root
+        if [ "$INPUTS_EXTRAS" = "all" ]; then
+          poetry install --no-root --all-extras
+        elif [ -n "$INPUTS_EXTRAS" ]; then
+          EXTRAS_ARGS=""
+          for extra in ${INPUTS_EXTRAS//,/ }; do
+            EXTRAS_ARGS="$EXTRAS_ARGS -E $extra"
+          done
+          poetry install --no-root $EXTRAS_ARGS
+        else
+          poetry install --no-root
+        fi
        poetry run pip list

    - name: Update Prowler Cloud API Client
@@ -36,7 +36,6 @@ Please add a detailed description of how to review this PR.

 #### UI
 - [ ] All issue/task requirements work as expected on the UI
- [ ] If this PR adds or updates npm dependencies, include package-health evidence (maintenance, popularity, known vulnerabilities, license, release age) and explain why existing/native alternatives are insufficient.
 - [ ] Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
 - [ ] Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
 - [ ] Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
@@ -76,6 +76,7 @@ jobs:
        uses: ./.github/actions/setup-python-poetry
        with:
          python-version: ${{ matrix.python-version }}
+          extras: all

      - name: Check Poetry lock file
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -92,6 +92,7 @@ jobs:
        uses: ./.github/actions/setup-python-poetry
        with:
          python-version: '3.12'
+          extras: all

      - name: Security scan with Bandit
        if: steps.check-changes.outputs.any_changed == 'true'
@@ -97,6 +97,7 @@ jobs:
        uses: ./.github/actions/setup-python-poetry
        with:
          python-version: ${{ matrix.python-version }}
+          extras: all

      # AWS Provider
      - name: Check if AWS files changed
@@ -132,10 +132,6 @@ jobs:
        if: steps.check-changes.outputs.any_changed == 'true'
        run: pnpm run healthcheck

-      - name: Run pnpm audit
-        if: steps.check-changes.outputs.any_changed == 'true'
-        run: pnpm run audit
-
      - name: Run unit tests (all - critical paths changed)
        if: steps.check-changes.outputs.any_changed == 'true' && steps.critical-changes.outputs.any_changed == 'true'
        run: |
@@ -89,7 +89,7 @@ ENV PATH="${HOME}/.local/bin:${PATH}"
 RUN pip install --no-cache-dir --upgrade pip && \
    pip install --no-cache-dir poetry==2.3.4

-RUN poetry install --compile && \
+RUN poetry install --compile --all-extras && \
    rm -rf ~/.cache/pip

 # Install PowerShell modules
@@ -10,10 +10,10 @@ This repository contains the Prowler Open Source documentation powered by [Mintl

 ## Local Development

-Install a reviewed version of the [Mintlify CLI](https://www.npmjs.com/package/mint) to preview documentation changes locally:
+Install the [Mintlify CLI](https://www.npmjs.com/package/mint) to preview documentation changes locally:

 ```bash
-npm install --global mint@4.2.560
+npm i -g mint
 ```

 Run the following command at the root of your documentation (where `mint.json` is located):
@@ -28,7 +28,7 @@ This includes the [AGENTS.md](https://github.com/prowler-cloud/prowler/blob/mast
 <Steps>
  <Step title="Install Mintlify CLI">
    ```bash
-    npm install --global mint@4.2.560
+    npm i -g mint
    ```
    For detailed instructions, check the [Mintlify documentation](https://www.mintlify.com/docs/installation).
  </Step>
@@ -44,21 +44,13 @@ Choose the configuration based on your deployment:

  <Tab title="Generic without Native HTTP Support">
    **Configuration:**
-    <Warning>
-    Avoid configuring MCP clients to run `npx mcp-remote` directly. `npx` can download and execute a new package version on each run. Install a reviewed version of `mcp-remote` in a dedicated local workspace, then point the MCP client to the installed binary.
-    </Warning>
-    ```bash
-    mkdir -p ~/.local/share/prowler-mcp-bridge
-    cd ~/.local/share/prowler-mcp-bridge
-    npm init -y
-    npm install --save-exact mcp-remote@0.1.38
-    ```
    ```json
    {
      "mcpServers": {
        "prowler": {
-          "command": "/absolute/path/to/.local/share/prowler-mcp-bridge/node_modules/.bin/mcp-remote",
+          "command": "npx",
          "args": [
+            "mcp-remote",
            "https://mcp.prowler.com/mcp", // or your self-hosted Prowler MCP Server URL
            "--header",
            "Authorization: Bearer ${PROWLER_APP_API_KEY}"
@@ -80,20 +72,14 @@ Choose the configuration based on your deployment:
    2. Go to "Developer" tab
    3. Click in "Edit Config" button
    4. Edit the `claude_desktop_config.json` file with your favorite editor
-    5. Install a reviewed version of `mcp-remote` in a dedicated local workspace:
-    ```bash
-    mkdir -p ~/.local/share/prowler-mcp-bridge
-    cd ~/.local/share/prowler-mcp-bridge
-    npm init -y
-    npm install --save-exact mcp-remote@0.1.38
-    ```
-    6. Add the following configuration:
+    5. Add the following configuration:
    ```json
    {
      "mcpServers": {
        "prowler": {
-          "command": "/absolute/path/to/.local/share/prowler-mcp-bridge/node_modules/.bin/mcp-remote",
+          "command": "npx",
          "args": [
+            "mcp-remote",
            "https://mcp.prowler.com/mcp",
            "--header",
            "Authorization: Bearer ${PROWLER_APP_API_KEY}"
@@ -38,7 +38,7 @@ Refer to the [Prowler App Tutorial](/user-guide/tutorials/prowler-app) for detai

    - `git` installed.
    - `poetry` installed: [poetry installation](https://python-poetry.org/docs/#installation).
-    - `pnpm` installed through [Corepack](https://pnpm.io/installation#using-corepack) or the standalone [pnpm installation](https://pnpm.io/installation).
+    - `npm` installed: [npm installation](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm).
    - `Docker Compose` installed: https://docs.docker.com/compose/install/.

    <Warning>
@@ -97,11 +97,9 @@ Refer to the [Prowler App Tutorial](/user-guide/tutorials/prowler-app) for detai
    ```bash
    git clone https://github.com/prowler-cloud/prowler \
    cd prowler/ui \
-    corepack enable \
-    corepack install \
-    pnpm install --frozen-lockfile \
-    pnpm run build \
-    pnpm start
+    npm install \
+    npm run build \
+    npm start
    ```

    > Enjoy Prowler App at http://localhost:3000 by signing up with your email and password.
@@ -22,7 +22,7 @@ Install promptfoo using one of the following methods:

 **Using npm:**
 ```bash
-npm install --global promptfoo@0.121.11
+npm install -g promptfoo
 ```

 **Using Homebrew (macOS):**
@@ -56,21 +56,13 @@ Prowler MCP Server can be used in three ways:
 - Managed and maintained by Prowler team
 - Always up-to-date

-Install a reviewed version of `mcp-remote` in a dedicated local workspace first. Avoid running `npx mcp-remote` directly because it can download and execute a new package version on each run.
-
-```bash
-mkdir -p ~/.local/share/prowler-mcp-bridge
-cd ~/.local/share/prowler-mcp-bridge
-npm init -y
-npm install --save-exact mcp-remote@0.1.38
-```
-
 ```json
 {
  "mcpServers": {
    "prowler": {
-      "command": "/absolute/path/to/.local/share/prowler-mcp-bridge/node_modules/.bin/mcp-remote",
+      "command": "npx",
      "args": [
+        "mcp-remote",
        "https://mcp.prowler.com/mcp",
        "--header",
        "Authorization: Bearer pk_YOUR_API_KEY_HERE"
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 2.3.4 and should not be changed by hand.
+# This file is automatically @generated by Poetry 2.3.2 and should not be changed by hand.

 [[package]]
 name = "about-time"
@@ -16,9 +16,10 @@ files = [
 name = "aenum"
 version = "3.1.17"
 description = "Advanced Enumerations (compatible with Python's stdlib Enum), NamedTuples, and NamedConstants"
-optional = false
+optional = true
 python-versions = "*"
 groups = ["main"]
+markers = "extra == \"okta\""
 files = [
    {file = "aenum-3.1.17-py2-none-any.whl", hash = "sha256:0dad0421b2fbe30e3fb623b2a0a23eff823407df53829d6a72595e7f76f3d872"},
    {file = "aenum-3.1.17-py3-none-any.whl", hash = "sha256:8b883a37a04e74cc838ac442bdd28c266eae5bbf13e1342c7ef123ed25230139"},
@@ -3161,9 +3162,10 @@ referencing = ">=0.31.0"
 name = "jwcrypto"
 version = "1.5.7"
 description = "Implementation of JOSE Web standards"
-optional = false
+optional = true
 python-versions = ">=3.8"
 groups = ["main"]
+markers = "extra == \"okta\""
 files = [
    {file = "jwcrypto-1.5.7-py3-none-any.whl", hash = "sha256:729463fefe28b6de5cf1ebfda3e94f1a1b41d2799148ef98a01cb9678ebe2bb0"},
    {file = "jwcrypto-1.5.7.tar.gz", hash = "sha256:70204d7cca406eda8c82352e3c41ba2d946610dafd19e54403f0a1f4f18633c6"},
@@ -4145,9 +4147,10 @@ adk = ["docstring-parser (>=0.16) ; python_version >= \"3.10\" and python_versio
 name = "okta"
 version = "3.4.2"
 description = "Python SDK for the Okta Management API"
-optional = false
+optional = true
 python-versions = ">=3.10"
 groups = ["main"]
+markers = "extra == \"okta\""
 files = [
    {file = "okta-3.4.2-py3-none-any.whl", hash = "sha256:b67bcff31de65223c5848894a202153236d0c99e3a8541a54bf7065f81676637"},
    {file = "okta-3.4.2.tar.gz", hash = "sha256:b05201056f3f028c5d2d16394f9b47024a689080f5a993c11d4d80f0e1b5ba1e"},
@@ -4814,9 +4817,10 @@ files = [
 name = "pycryptodomex"
 version = "3.23.0"
 description = "Cryptographic library for Python"
-optional = false
+optional = true
 python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7"
 groups = ["main"]
+markers = "extra == \"okta\""
 files = [
    {file = "pycryptodomex-3.23.0-cp27-cp27m-macosx_10_9_x86_64.whl", hash = "sha256:add243d204e125f189819db65eed55e6b4713f70a7e9576c043178656529cec7"},
    {file = "pycryptodomex-3.23.0-cp27-cp27m-manylinux2010_i686.whl", hash = "sha256:1c6d919fc8429e5cb228ba8c0d4d03d202a560b421c14867a65f6042990adc8e"},
@@ -5021,9 +5025,10 @@ typing-extensions = ">=4.14.1"
 name = "pydash"
 version = "8.0.6"
 description = "The kitchen sink of Python utility libraries for doing \"stuff\" in a functional way. Based on the Lo-Dash Javascript library."
-optional = false
+optional = true
 python-versions = ">=3.9"
 groups = ["main"]
+markers = "extra == \"okta\""
 files = [
    {file = "pydash-8.0.6-py3-none-any.whl", hash = "sha256:ee70a81a5b292c007f28f03a4ee8e75c1f5d7576df5457b836ec7ab2839cc5d0"},
    {file = "pydash-8.0.6.tar.gz", hash = "sha256:b2821547e9723f69cf3a986be4db64de41730be149b2641947ecd12e1e11025a"},
@@ -6603,6 +6608,7 @@ files = [
    {file = "xmltodict-1.0.4-py3-none-any.whl", hash = "sha256:a4a00d300b0e1c59fc2bfccb53d7b2e88c32f200df138a0dd2229f842497026a"},
    {file = "xmltodict-1.0.4.tar.gz", hash = "sha256:6d94c9f834dd9e44514162799d344d815a3a4faec913717a9ecbfa5be1bb8e61"},
 ]
+markers = {main = "extra == \"okta\""}

 [package.extras]
 test = ["pytest", "pytest-cov"]
@@ -6882,7 +6888,10 @@ files = [
    {file = "zstd-1.5.7.2.tar.gz", hash = "sha256:6d8684c69009be49e1b18ec251a5eb0d7e24f93624990a8a124a1da66a92fc8a"},
 ]

+[extras]
+okta = ["okta"]
+
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.10,<3.13"
-content-hash = "96359a9bfe4031fb0747c22eb4b00f2a008e3fb6d07189fa0fe6ee3875b1f913"
+content-hash = "95bcc1e65c79519df1fa78351a85986d1891d08f615fc7afaed754f268a0c944"
@@ -14,6 +14,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 ### 🔄 Changed

 - `entra_emergency_access_exclusion` check for M365 provider now scopes the exclusion requirement to enabled Conditional Access policies with a `Block` grant control instead of every enabled policy, focusing on the lockout-relevant policy set [(#10849)](https://github.com/prowler-cloud/prowler/pull/10849)
+- `okta` SDK dependency moved to a new `okta` optional extra; install with `pip install prowler[okta]` (or `poetry install --all-extras`) to use the Okta provider. Prevents resolution conflicts with downstream consumers pinning the legacy `okta<1.0.0` package

 ---

@@ -59,7 +59,6 @@ dependencies = [
  "microsoft-kiota-abstractions==1.9.2",
  "msgraph-sdk==1.55.0",
  "numpy==2.0.2",
-  "okta==3.4.2",
  "openstacksdk==4.2.0",
  "pandas==2.2.3",
  "py-ocsf-models==0.8.1",
@@ -98,6 +97,9 @@ readme = "README.md"
 requires-python = ">=3.10,<3.13"
 version = "5.27.0"

+[project.optional-dependencies]
+okta = ["okta==3.4.2"]
+
 [project.scripts]
 prowler = "prowler.__main__:prowler"

@@ -226,6 +226,5 @@ pnpm run test:e2e:ui
 - [ ] Relevant E2E tests pass
 - [ ] All UI states handled (loading, error, empty)
 - [ ] No secrets in code (use `.env.local`)
- [ ] New npm dependencies include package-health evidence (maintenance, popularity, known vulnerabilities, license, release age) and a rationale for not using existing/native alternatives.
 - [ ] Error messages sanitized
 - [ ] Server-side validation present
@@ -109,10 +109,10 @@ export function MyComponent() {

 ## Adding New shadcn Components

-When adding new shadcn components using the CLI, pin the reviewed CLI version instead of using `@latest`:
+When adding new shadcn components using the CLI:

 ```bash
-pnpm dlx shadcn@4.7.0 add [component-name]
+npx shadcn@latest add [component-name]
 ```

 The component will be automatically added to this directory due to the configuration in `components.json`:
@@ -28,8 +28,6 @@
    "test:e2e:headed": "playwright test --project=auth --project=sign-up --project=providers --project=invitations --project=scans --headed",
    "test:e2e:report": "playwright show-report",
    "test:e2e:install": "playwright install",
-    "audit": "pnpm audit --audit-level critical",
-    "audit:high": "pnpm audit --audit-level high",
    "audit:fix": "pnpm audit fix"
  },
  "dependencies": {
@@ -14,21 +14,20 @@ minimumReleaseAge: 1440

 # --- Level 2: Explicit Build Script Allow-list ---
 # Only these packages may run install/postinstall lifecycle scripts.
-# Any unlisted package with lifecycle scripts fails the install.
-strictDepBuilds: true
-allowBuilds:
+# Any unlisted package with lifecycle scripts will have them silently skipped.
+onlyBuiltDependencies:
  # sharp: Native image processing (libvips). Installs platform-specific pre-built binary or compiles from source.
-  sharp: true
+  - sharp
  # @sentry/cli: Downloads the sentry-cli native binary for the current platform. Validates integrity via SHA256.
-  "@sentry/cli": true
+  - "@sentry/cli"
  # esbuild: Go binary. Downloads the pre-compiled binary matching the current platform/architecture.
-  esbuild: true
+  - esbuild
  # @heroui/shared-utils: Demi pattern — detects React/Next.js version at install time and copies the compatible bundle (React 18 vs 19).
-  "@heroui/shared-utils": true
+  - "@heroui/shared-utils"
  # unrs-resolver: Rust module resolver (NAPI-RS). Verifies the correct native binding is available for the platform.
-  unrs-resolver: true
+  - unrs-resolver
  # msw: Copies mockServiceWorker.js into the directories listed in package.json's `msw.workerDirectory` (here: `public/`) so the runtime worker stays in sync with the installed msw version. Pure file copy — no native binary, no network access. Required for vitest browser tests to intercept fetches via the service worker.
-  msw: true
+  - msw

 # --- Level 3: Trust Policy + Exotic Subdeps ---
 # Fail when a package's trust evidence is downgraded (e.g., new publisher).