Skip to content

Commit

Permalink
Upgrade requirements (#744)
Browse files Browse the repository at this point in the history
* Upgrade requirements

* Allow redis-py 5.x

* Upgrade requirements

* Upgrade requirements

* Upgrade requirements

* Pin docutils to support Python 3.8

* Upgrade requirements

* Upgrade requirements

* Upgrade requirements

* Upgrade requirements

* Upgrade requirements

* Migrate from Safety CLI 2.x to 3.x

* Ignore Jinja2 vulnerability 70612

We don't render Jinja templates.

Plus, "The maintainer and multiple third parties believe that this
vulnerability isn't valid because users shouldn't use untrusted
templates without sandboxing."

For more info:
https://data.safetycli.com/vulnerabilities/CVE-2019-8341/70612/
  • Loading branch information
brainix authored Jul 6, 2024
1 parent 21abb43 commit b611291
Show file tree
Hide file tree
Showing 6 changed files with 92 additions and 41 deletions.
7 changes: 5 additions & 2 deletions .github/workflows/python-package.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,10 @@ jobs:
run: |
flake8 *\.py pottery/*\.py tests/*\.py --count --max-complexity=10 --statistics
isort *\.py pottery/*\.py tests/*\.py --check-only --diff
- name: Check for security vulnerabilities with Bandit and Safety
- name: Check for security vulnerabilities with Bandit
run: |
bandit --recursive pottery
safety check --file requirements.txt
- name: Check for security vulnerabilities with Safety
uses: pyupio/safety-action@v1
with:
api-key: ${{ secrets.SAFETY_API_KEY }}
42 changes: 42 additions & 0 deletions .safety-policy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
version: '3.0'

scanning-settings:
max-depth: 6
exclude: []
include-files: []
system:
targets: []


report:
dependency-vulnerabilities:
enabled: true
auto-ignore-in-report:
python:
environment-results: true
unpinned-requirements: true
cvss-severity: []
vulnerabilities:
70612:
reason: "We don't render Jinja templates"
expires: '2024-12-31'


fail-scan-with-exit-code:
dependency-vulnerabilities:
enabled: true
fail-on-any-of:
cvss-severity:
- high
- critical
- medium
exploitability:
- high
- critical
- medium

security-updates:
dependency-vulnerabilities:
auto-security-updates-limit:
- patch

2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ test:
echo Running isort on $($@_SOURCE_FILES) && \
isort $($@_SOURCE_FILES) --check-only --diff && \
bandit --recursive pottery && \
safety check
safety scan


.PHONY: release
Expand Down
4 changes: 4 additions & 0 deletions requirements-to-freeze.txt
Original file line number Diff line number Diff line change
Expand Up @@ -54,3 +54,7 @@ requests>=2.20.0
# https://nvd.nist.gov/vuln/detail/CVE-2018-20060
# https://nvd.nist.gov/vuln/detail/CVE-2019-11324
urllib3>=1.24.2

# We don't need docutils at the top-level. However, it's pulled in from
# something else, and recent docutils doesn't support Python 3.8.
docutils==0.20.1
72 changes: 37 additions & 35 deletions requirements.txt
Original file line number Diff line number Diff line change
@@ -1,69 +1,71 @@
annotated-types==0.6.0
async-timeout==4.0.3
Authlib==1.3.0
bandit==1.7.8
certifi==2024.2.2
annotated-types==0.7.0
Authlib==1.3.1
bandit==1.7.9
certifi==2024.7.4
cffi==1.16.0
charset-normalizer==3.3.2
click==8.1.7
coverage==7.4.4
cryptography==42.0.5
coverage==7.5.4
cryptography==42.0.8
docutils==0.20.1
dparse==0.6.4b0
flake8==7.0.0
filelock==3.12.4
flake8==7.1.0
hiredis==2.3.2
idna==3.6
importlib_metadata==7.1.0
idna==3.7
importlib_metadata==8.0.0
iniconfig==2.0.0
isort==5.13.2
jaraco.classes==3.4.0
jaraco.context==5.3.0
jaraco.functools==4.0.0
Jinja2==3.1.3
keyring==25.1.0
jaraco.functools==4.0.1
Jinja2==3.1.4
keyring==25.2.1
markdown-it-py==3.0.0
MarkupSafe==2.1.5
marshmallow==3.21.1
marshmallow==3.21.3
mccabe==0.7.0
mdurl==0.1.2
mmh3==4.1.0
more-itertools==10.2.0
mypy==1.9.0
more-itertools==10.3.0
mypy==1.10.1
mypy-extensions==1.0.0
nh3==0.2.17
packaging==24.0
packaging==24.1
pbr==6.0.0
pkginfo==1.10.0
pluggy==1.4.0
pycodestyle==2.11.1
pluggy==1.5.0
pycodestyle==2.12.0
pycparser==2.22
pydantic==2.6.4
pydantic_core==2.16.3
pydantic==2.8.2
pydantic_core==2.20.1
pyflakes==3.2.0
Pygments==2.17.2
pytest==8.1.1
pytest-asyncio==0.23.6
Pygments==2.18.0
pytest==8.2.2
pytest-asyncio==0.23.7
pytest-cov==5.0.0
PyYAML==6.0.1
readme_renderer==43.0
redis==5.1.0b4
requests==2.31.0
redis==5.1.0b7
requests==2.32.3
requests-toolbelt==1.0.0
rfc3986==2.0.0
rich==13.7.1
ruamel.yaml==0.18.6
ruamel.yaml.clib==0.2.8
safety==3.1.0
safety==3.2.4
safety-schemas==0.0.2
setuptools==69.2.0
setuptools==70.2.0
shellingham==1.5.4
stevedore==5.2.0
twine==5.0.0
typer==0.12.1
types-pyOpenSSL==24.0.0.20240311
types-redis==4.6.0.20240311
typing_extensions==4.11.0
urllib3==2.2.1
twine==5.1.1
typer==0.12.3
types-cffi==1.16.0.20240331
types-pyOpenSSL==24.1.0.20240425
types-redis==4.6.0.20240425
types-setuptools==70.2.0.20240704
typing_extensions==4.12.2
urllib3==2.2.2
uvloop==0.19.0
wheel==0.43.0
zipp==3.18.1
zipp==3.19.2
6 changes: 3 additions & 3 deletions setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -57,10 +57,10 @@
],
keywords=pottery.__keywords__,
python_requires='>=3.8, <4',
install_requires=('redis>=4.2.0rc1, <5', 'mmh3', 'typing_extensions'),
install_requires=('redis>=4.2.0rc1', 'mmh3', 'typing_extensions'),
extras_require={},
packages=find_packages(exclude=('contrib', 'docs', 'tests*')),
package_data={'pottery': ('py.typed',)},
data_files=tuple(),
package_data={'pottery': ['py.typed']},
data_files=[],
entry_points={},
)

0 comments on commit b611291

Please sign in to comment.