From a36977c43c1c5eb3e5d1f77119a91c908b1bca8e Mon Sep 17 00:00:00 2001 From: Aaron Bach Date: Sat, 28 Oct 2023 18:39:10 -0600 Subject: [PATCH] Pin `urllib` version to address CVEs --- poetry.lock | 21 +++++++++++---------- pyproject.toml | 1 + 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/poetry.lock b/poetry.lock index 05e6e96f..201c443a 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 1.6.1 and should not be changed by hand. +# This file is automatically @generated by Poetry 1.5.1 and should not be changed by hand. [[package]] name = "aiohttp" @@ -1141,8 +1141,8 @@ astroid = ">=3.0.1,<=3.1.0-dev0" colorama = {version = ">=0.4.5", markers = "sys_platform == \"win32\""} dill = [ {version = ">=0.2", markers = "python_version < \"3.11\""}, + {version = ">=0.3.6", markers = "python_version >= \"3.11\""}, {version = ">=0.3.7", markers = "python_version >= \"3.12\""}, - {version = ">=0.3.6", markers = "python_version >= \"3.11\" and python_version < \"3.12\""}, ] isort = ">=4.2.5,<6" mccabe = ">=0.6,<0.8" @@ -1708,19 +1708,20 @@ files = [ [[package]] name = "urllib3" -version = "1.26.14" +version = "2.0.7" description = "HTTP library with thread-safe connection pooling, file post, and more." optional = false -python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*" +python-versions = ">=3.7" files = [ - {file = "urllib3-1.26.14-py2.py3-none-any.whl", hash = "sha256:75edcdc2f7d85b137124a6c3c9fc3933cdeaa12ecb9a6a959f22797a0feca7e1"}, - {file = "urllib3-1.26.14.tar.gz", hash = "sha256:076907bf8fd355cde77728471316625a4d2f7e713c125f51953bb5b3eecf4f72"}, + {file = "urllib3-2.0.7-py3-none-any.whl", hash = "sha256:fdb6d215c776278489906c2f8916e6e7d4f5a9b602ccbcfdf7f016fc8da0596e"}, + {file = "urllib3-2.0.7.tar.gz", hash = "sha256:c97dfde1f7bd43a71c8d2a58e369e9b2bf692d1334ea9f9cae55add7d0dd0f84"}, ] [package.extras] -brotli = ["brotli (>=1.0.9)", "brotlicffi (>=0.8.0)", "brotlipy (>=0.6.0)"] -secure = ["certifi", "cryptography (>=1.3.4)", "idna (>=2.0.0)", "ipaddress", "pyOpenSSL (>=0.14)", "urllib3-secure-extra"] -socks = ["PySocks (>=1.5.6,!=1.5.7,<2.0)"] +brotli = ["brotli (>=1.0.9)", "brotlicffi (>=0.8.0)"] +secure = ["certifi", "cryptography (>=1.9)", "idna (>=2.0.0)", "pyopenssl (>=17.1.0)", "urllib3-secure-extra"] +socks = ["pysocks (>=1.5.6,!=1.5.7,<2.0)"] +zstd = ["zstandard (>=0.18.0)"] [[package]] name = "uvicorn" @@ -1938,4 +1939,4 @@ multidict = ">=4.0" [metadata] lock-version = "2.0" python-versions = "^3.9.0" -content-hash = "5884fffa144eb095c4b6e2ec9bf2640b1d1da7d967631b250309cb126e420f77" +content-hash = "43dc477341f3daf4a3ee9d57ff76bf0fc6e4e52e3f54daf9c0c839411f596f99" diff --git a/pyproject.toml b/pyproject.toml index 73ce8b56..dcc5ddcd 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -73,6 +73,7 @@ rapidfuzz = ">=2.13,<4.0" uvicorn = ">=0.19.0" uvloop = ">=0.17,<0.20" voluptuous = "^0.13.1" +urllib3 = ">=1.26.18" [tool.poetry.group.dev.dependencies] GitPython = ">=3.1.35"