deps: bump msgpack requirement to 1.0.4

In this patch we bump msgpack requirement since version 1.0.4 has
various vulnerability fixes (for example, [1]). Since the code is still
compatible with msgpack-python and older msgpack, tests are not removed
in this patch.

1. msgpack/msgpack-python#153

Author: DifferentialOrange

.github/workflows/testing.yml

@@ -53,7 +53,7 @@ jobs:
             msgpack-deps: 'msgpack==0.6.2'
           - tarantool: '2.8'
             python: '3.10'
-            msgpack-deps: 'msgpack==1.0.0'
+            msgpack-deps: 'msgpack==1.0.4'
 
     steps:
       - name: Clone the connector
@@ -91,6 +91,17 @@ jobs:
           pip install ${{ matrix.msgpack-deps }}
           sed -i -e "s/^msgpack.*$/${{ matrix.msgpack-deps }}/" requirements.txt
 
+      - name: Install specific version of msgpack package
+        # We want to enforce using modern msgpack since it has
+        # various vulnerability fixes. But the code is compatible
+        # with older msgpack versions. To this test compatibility
+        # we must ignore requirements.txt install of the newer msgpack
+        # package by overwriting it with sed.
+        if: startsWith(matrix.msgpack-deps, 'msgpack==') == true
+        run: |
+          pip install ${{ matrix.msgpack-deps }}
+          sed -i -e "s/^msgpack.*$/${{ matrix.msgpack-deps }}/" requirements.txt
+
       - name: Install package requirements
         run: pip install -r requirements.txt
 

requirements.txt

@@ -1 +1 @@
-msgpack>=0.4.0
+msgpack>=1.0.4

setup.py

@@ -83,7 +83,7 @@ def find_version(*file_paths):
     cmdclass=cmdclass,
     command_options=command_options,
     install_requires=[
-        'msgpack>=0.4.0',
+        'msgpack>=1.0.4',
     ],
     python_requires='>=3',
 )