Security concerns due to `lazy-imports` package in the python generator

[Thommy257]

I don't want to be a buzzkill or step on someone's toes. Still, with that change, you are potentially pushing a dependency with nine GitHub stars and two maintainers into millions of micro-services. I'd reconsider...

Originally posted by @Thommy257 in #21486 (comment)

Hi all,

In your latest release, v7.15.0, you included a package called lazy-imports required to run the generated API client code (see #21486). Due to a lack of maintenance and public verification, this package poses a significant security risk. I suggest undoing this change or internalising it into openapi-generator.

Also, this PR probably broke many CI/CD pipelines. And for those that didn't break, many microservices got silently injected with a package not verified by a large open source community.

[Trolldemorted]

Is there a measurable benefit from using lazy-imports that would make the supply chain security risk worth it?

[katrinm86]

they package itself is not that important i guess but the effect is: goauthentik/authentik#10865

some generated clients took very long on importing, which makes it really cumbersome for scripts