Fix: add timeoutheight_sync_interval parameter to finetune sync frequency or abort it completely

[PavelInjective]

Fixes the case, when the client produced too many requests and was limited by the grpc load balancer

Summary by CodeRabbit

• New Features

  • Introduced an optional parameter for timeout height synchronization in the AsyncClient, enhancing configurability.

• Bug Fixes

  • Added deprecation warnings for outdated methods, guiding users towards alternative options.

• Chores

  • Updated project version to 1.9.0-pre and clarified comments related to dependencies in the project configuration file.

[coderabbitai]

Walkthrough

The pull request introduces a new optional parameter timeoutheight_sync_interval to the __init__ method of the AsyncClient class in pyinjective/async_client.py. This parameter enhances the configurability of the timeout height synchronization process. Additionally, the project version is updated from 1.8.0 to 1.9.0-pre in pyproject.toml, with minor clarifications made to dependency comments. Several methods are marked for deprecation, ensuring backward compatibility while guiding users to alternative methods.

Changes

File	Change Summary
pyinjective/async_client.py	- Added timeoutheight_sync_interval parameter to __init__ method. - Updated _timeout_height_sync_process to use the new parameter. - Added deprecation warnings for several methods.
pyproject.toml	- Updated project version from 1.8.0 to 1.9.0-pre. - Clarified comments for aiohttp dependency.

Possibly related PRs

• Feat/sync dev with v1.8.0  #359: The changes in this PR involve modifications to the AsyncClient class, which are directly related to the changes made in the main PR regarding the __init__ method and timeout height synchronization.

Poem

🐰 In the code where rabbits hop,
A new parameter takes the top.
With timeouts set, we sync with glee,
Version bumps as fine as can be!
Deprecated paths we gently tread,
For future hops, our code is fed! 🌟

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between cc6beec and 411fb10.

📒 Files selected for processing (2)

• pyinjective/async_client.py (3 hunks)
• pyproject.toml (1 hunks)

🔇 Additional comments (3)

pyinjective/async_client.py (3)

102-102: LGTM! Well-structured parameter addition.

The new optional parameter timeoutheight_sync_interval is properly added with a sensible default value, maintaining backward compatibility.

---

3455-3457: LGTM! Clean implementation of conditional task initialization.

The initialization logic:

• Allows disabling sync by setting interval to None
• Properly handles cleanup of existing tasks
• Maintains thread safety

---

102-102: Verify impact on gRPC load balancer.

The changes provide control over sync frequency, but we should verify that the default interval (20s) is sufficient to prevent load balancer limitations.

Also applies to: 3455-3462

✅ Verification successful

Let me gather more specific information about the timeoutheight sync interval configuration.

---

Default interval of 20s is appropriate for load balancing

The code review shows that:

• The default interval of 20 seconds is reasonable and conservative
• The interval is configurable, allowing adjustment if needed
• The implementation includes proper task management with cancellation handling
• The sync process runs in a controlled async loop with proper sleep intervals

The default value provides sufficient spacing between gRPC requests to prevent overloading, while still maintaining timely updates. No issues found with the current implementation.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for any gRPC rate limiting or error patterns in the codebase
# that might indicate if the default interval needs adjustment.

# Search for gRPC error handling patterns
echo "Searching for gRPC error handling patterns..."
rg -A 5 "grpc\.RpcError|load.*balance|rate.*limit" 

# Search for existing timeout configurations
echo "Searching for other timeout/interval configurations..."
rg "DEFAULT_.*INTERVAL|DEFAULT_.*TIMEOUT"

Length of output: 135505

---

Script:

#!/bin/bash
# Search for DEFAULT_TIMEOUTHEIGHT_SYNC_INTERVAL definition and any related configurations
rg "DEFAULT_TIMEOUTHEIGHT_SYNC_INTERVAL" -A 3

# Search for any code that uses this interval
rg "timeoutheight_sync_interval" -A 3

Length of output: 2030

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Caution

Inline review comments failed to post. This is likely due to GitHub's limits when posting large numbers of comments.

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (2)

pyproject.toml (1)

Critical security vulnerabilities found - dependency constraints needed

Several critical security issues require immediate attention:

1. ecdsa with "*" versioning is dangerous:

   • CRITICAL severity vulnerability in versions < 0.13.3
   • HIGH severity Minerva timing attack in versions <= 0.18.0 (recent: Jan 2024)

2. requests with "*" versioning has multiple vulnerabilities:

   • MODERATE severity issues in versions < 2.32.0
   • Header leaks in versions < 2.31.0

3. grpcio with "*" versioning has HIGH severity issues:

   • Multiple "Excessive Iteration" vulnerabilities in various versions

Required actions:

• Add minimum version constraints for security:

  ecdsa = ">=0.18.1"
  requests = ">=2.32.0"
  grpcio = ">=1.56.2"
  

• Document the reason for protobuf=5.26.1 pinning
• Consider pinning other dependencies with "*" versioning for better reproducibility

🔗 Analysis chain

Line range hint 24-38: Verify security implications of dependency versions.

1. The aiohttp >= 3.9.4 constraint addresses a security issue (referenced in comment).
2. The strict pinning of protobuf to 5.26.1 should be reviewed.
3. Consider pinning more dependencies for better reproducibility.

Let's check for known vulnerabilities in key dependencies:

---

Security review needed for protobuf and other dependencies

The current protobuf version (5.26.1) is behind the latest version (5.28.3), though it's not affected by any known vulnerabilities. However:

1. The strict pinning to protobuf 5.26.1 should be documented with a comment explaining the reason, similar to aiohttp.
2. Several dependencies using "*" versioning (bech32, bip32, ecdsa, etc.) pose reproducibility and security risks.

Let's verify if these dependencies have known vulnerabilities:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for security advisories in critical dependencies
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: PIP, package: "protobuf") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}
'

# Check latest versions of critical dependencies
echo "Latest protobuf version:"
curl -s https://pypi.org/pypi/protobuf/json | jq '.info.version'

Length of output: 1658

---

Script:

#!/bin/bash
# Check for security advisories in other critical dependencies
for pkg in "ecdsa" "web3" "requests" "grpcio"; do
  echo "Checking $pkg:"
  gh api graphql -f query="
  {
    securityVulnerabilities(first: 3, ecosystem: PIP, package: \"$pkg\") {
      nodes {
        advisory {
          summary
          severity
          publishedAt
        }
        vulnerableVersionRange
      }
    }
  }
  "
done

Length of output: 3218

pyinjective/async_client.py (1)

3461-3462: Consider adding validation for the interval value.

While the configurable interval achieves the goal of controlling sync frequency, very small values could still lead to high load. Consider adding validation to ensure the interval is not set too low.

def __init__(
    self,
    network: Network,
    insecure: Optional[bool] = None,
    credentials=None,
    timeoutheight_sync_interval: Optional[int] = DEFAULT_TIMEOUTHEIGHT_SYNC_INTERVAL,
):
+   if timeoutheight_sync_interval is not None and timeoutheight_sync_interval < 5:
+       raise ValueError("timeoutheight_sync_interval must be at least 5 seconds to prevent excessive load")
    self._timeoutheight_sync_interval = timeoutheight_sync_interval

🛑 Comments failed to post (1)

pyproject.toml (1)

3-3: 💡 Codebase verification

Version bump to 1.9.0-pre needs revision to align with release pattern

The version history shows that the project uses rc (release candidate) suffix for pre-releases (v1.9.0-rc1 through rc4) instead of -pre. The version should be updated to follow this established pattern.

• Consider changing version = "1.9.0-pre" to version = "1.9.0-rc1"

🔗 Analysis chain

Version bump to 1.9.0-pre looks appropriate.

The version increment from 1.8.0 to 1.9.0-pre aligns well with the introduction of the new timeoutheight_sync_interval parameter, which could potentially affect existing client behavior.

Let's verify if this follows the project's versioning pattern:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check version history pattern
gh api repos/InjectiveLabs/sdk-python/tags --jq '.[].name' | head -n 5

Length of output: 123