Migrating from ply library

[Jungorend]

Currently rule-engine uses ply as a dependency. According to its README, as of December of 2025, it will no longer be updated in any capacity.

A vulnerability was also recently discovered in sly that allows for remote code execution:
CVE-2025-56005

While rule-engine doesn't seem to use the offending parameter (pickle in the yacc function) and so is not currently vulnerable, it may be worth moving to a parser/lexer which is actively maintained in case of other vulnerabilities being discovered.

[zeroSteiner]

The last time I vaguely looked into migrating away from Ply led me to believe it would be a large effort. The parser of the project is just about the most complicated component. I just can't justify the investment of time to make this change because something might happen in a project that I'm not really relying on as much these days. The attack surface of Ply isn't that large, so I'm willing to take that chance. It'll become a problem when I need to shift the supported versions of Python, but I haven't even released a major version bump to drop 3.6, 3.7 and 3.8.

If someone else would like to look into this, I'd be happy to help with testing and merge the changes but to set realistic expectations, I'm not sinking my personal time into a massive rewrite at this time.

[yoms]

Hello,
First of all thanks for rules-engine, it is such an amazing tool.

I’m also interested in addressing this CVE. From your perspective, what would be the best replacement for PLY (if you have any suggestions)? I’d like to understand what it would take to replace it.

[zeroSteiner]

It would take rewriting the parser unless I could find a replacement with API compatibility, without the offending pickle related parameters of course. I'm also concerned that, depending on how the parser works, the AST construction logic may need to be updated as well.

There's nothing wrong with PLY from my point of view. The fact that it's unmaintained isn't great, but I've had no issues with it, and it's how I learned about parsers. The CVE in question is over hyped in my opinion, of course a pickle parameter could lead to code execution just like any parameter named cmd or command could. The fact that it's classified in the CVSS score as remotely exploitable on top of that is absurd.

You both clearly have interest in rule-engine though. If I forked PLY or vendored it and removed the code related to the CVE then continued to maintain it, would that meet your needs? I could look into the licensing for what that would mean if it'd satisfy the requirement.

[Jungorend]

I apologize for the late reply. That's fine! I would hate to make you do all that additional work if you're not using this actively. I'm more than happy to close this issue if you'd prefer.

[zeroSteiner]

Upstream PLY will be removed in v5.0 and replaced with a vendored copy. There's a feat/v5.0 branch right now I'm working on.

[yoms]

Wow, thanks a lot.

Sorry for the late reply.

[zeroSteiner]

Shipped in the 5.0.0a3 release. It's available on GitHub and PyPi.