Upgrade workstation-bootstrap packages

Motivated by CVE-2024-6345 in `setuptools`. But just upgrading `setuptools` forces upgrades of `pip`, which in turn requires a newer `packaging`, which then needs a newer `flit-core`. But that is then incompatible with `pep517`, so upgrade `build` to drop that dependency. Upgraded packages: * setuptools 54.0.0 -> 70.3.0 * setuptools-scm 5.0.2 -> 8.1.0 * pip 21.3.1 -> 24.1.2 * packaging 20.9 -> 24.1 * flit-core 2.3.0 -> 3.9.0 * build 0.3.0 -> 1.2.1 * colorama is skipped, it isn't hard dependency and only needed for Windows anyways * pep517 0.9.1 -> pyproject_hooks 1.1.0 (package was kind of renamed) Dropped dependencies: * pyparsing * pytoml * toml Fixes #500.
freedomofpress · Jul 22, 2024 · ef70cb4 · ef70cb4
1 parent 581e5b1
commit ef70cb4
Show file tree

Hide file tree

Showing 21 changed files with 145 additions and 116 deletions.
diff --git a/scripts/update-requirements b/scripts/update-requirements
@@ -10,7 +10,7 @@ from pathlib import Path
 
 import utils
 
-SKIP_PACKAGES = ["pyqt5", "sip"]
+SKIP_PACKAGES = ["pyqt5", "sip", "colorama"]
 
 
 def parse_args():

diff --git a/scripts/utils.py b/scripts/utils.py
@@ -121,6 +121,10 @@ def get_poetry_hashes(
 
     for package in parsed_toml.get("package", []):
         package_name = normalize(package["name"])
+        if path_to_poetry_lock.parent.name == "workstation-bootstrap" and package_name == "colorama":
+            # HACK: see <https://github.com/pypa/build/blob/1.2.1/pyproject.toml#L38>, this dependency
+            # isn't actually needed and complicates bootstrapping by needing hatchling too
+            continue
         if package_name in relevant_dependencies:
             package_name_and_version = f"{package_name}=={package['version']}"
             dependencies[package_name_and_version] = [

diff --git a/workstation-bootstrap/build-requirements.txt b/workstation-bootstrap/build-requirements.txt
@@ -1,13 +1,10 @@
-build==0.3.0 --hash=sha256:3fe8fac398ae76f534dee92c0db01c2960e271094f8cd52aa9d24a633c244e59
+build==1.2.1 --hash=sha256:246810623c6c053ba7c52f2c1913a6f4fa26f04c0a751e3b1a49c8740354634a
 cython==0.29.33 --hash=sha256:927f6456a45d2b3e7d57ef0a4a2a6abfe7973d6adad79c0d5a69da5fc0c8ea74 --hash=sha256:067ef67c2876aadc7654b33916d076ef15b162cc6eacee621d8ddc1bd5717cb7
-flit-core==2.3.0 --hash=sha256:a14d6cca50a51eff2c418fc3f8e887cd31a3233a6b465451fd57074e232d7c4c
-packaging==20.9 --hash=sha256:44698376bc57a48290dc82bfdc20d339684856b24d6b8c3760b284de4eebc498
-pep517==0.9.1 --hash=sha256:bfe04a1859fd3cbd3bc2a1ffd2a6dbf30e912bf7fc36ed55d4c838d642c55934
-pip==21.3.1 --hash=sha256:6934731b2bc2162636cf88173c73bf2318d78fe5793be14f5d4634a526fdb5c2
-pyparsing==2.4.7 --hash=sha256:4d00a1a6d2bf41a459fa6f47d41a1c5d157715283c2dc4a4b291972037bc9620
+flit-core==3.9.0 --hash=sha256:5b9ab0f0009e02f80bb59c27d57a3cf160cca6375d074cafd0ea84f0d342be31
+packaging==24.1 --hash=sha256:a5d5fa1aaade614246beb5d96d7bf502a03bbd2373ed4a4fc70eed3e7ce790a0
+pip==24.1.2 --hash=sha256:45941b49b443d67e8f2c820b4fa9d4aa916326f897abfa1068914f1b0ebc6eb2
+pyproject-hooks==1.1.0 --hash=sha256:1058f6b6ac3f83e7220aef532e4357ce45416160b270c787788975d32ed11eb1
 pytest-runner==5.3.0 --hash=sha256:3084ada00452395171c8f10199d2b5d3b74c6948518c2b6bd75e948c77ca2280
-pytoml==0.1.21 --hash=sha256:97e4f6bd5d1d2a32f82d5c6ec9bb90a1b60db3af81b6427ee9a5949021d56d7b
-setuptools==54.0.0 --hash=sha256:d55810b08ce4cef4d4e354e4fc1013c435abf3a9712daa4f48dcfc8694f4722f
-setuptools-scm==5.0.2 --hash=sha256:96d120093688708a75155802077cc3fefd4352b2b5e30386821e86bbc4c8c402
-toml==0.10.2 --hash=sha256:931471fdf4a532e4095922de7eb81ef13da584d91af4f93e2e7284b29f56a65b
+setuptools==70.3.0 --hash=sha256:663e40f0f62eed3ee04ec66d5a8bb2c36a365b98639bf52f050a2a857a704e38
+setuptools-scm==8.1.0 --hash=sha256:ed687948d45961dba39e0931955234cce9e42fcfc3da1c8a635c2abbebd1d15e
 wheel==0.36.2 --hash=sha256:870fcd67bd55da8e73be17468e970d365ad926ac9c5fee0e00ad778019c579d9
diff --git a/workstation-bootstrap/poetry.lock b/workstation-bootstrap/poetry.lock
diff --git a/workstation-bootstrap/pyproject.toml b/workstation-bootstrap/pyproject.toml
@@ -7,11 +7,12 @@ license = "GPLv3+"
 readme = "README.md"
 
 [tool.poetry.dependencies]
-python = "^3.9"
-build = "0.3.0"
+python = "^3.11"
+build = "1.2.1"
 wheel = "0.36.2"
-pip = "21.3.1"
-setuptools-scm = "5.0.2"
+pip = "24.1.2"
+setuptools = "70.3.0"
+setuptools-scm = "8.1.0"
 pytest-runner = "5.3.0"
 cython = "0.29.33"
-flit-core = "2.3.0"
+flit-core = "3.9.0"
diff --git a/workstation-bootstrap/sha256sums.txt b/workstation-bootstrap/sha256sums.txt
@@ -3,26 +3,40 @@
 5040764c4a4d2ce964a395da24f0d1ae58144995dab92c6b96f44c3f4d72286a  Cython-0.29.33.tar.gz
 3fe8fac398ae76f534dee92c0db01c2960e271094f8cd52aa9d24a633c244e59  build-0.3.0-py2.py3-none-any.whl
 0eb95b2c8d770d7c4c9b92c68c227c350bbf65f3ec83551ace9097c18cc15fdd  build-0.3.0.tar.gz
+246810623c6c053ba7c52f2c1913a6f4fa26f04c0a751e3b1a49c8740354634a  build-1.2.1-py3-none-any.whl
+526263f4870c26f26c433545579475377b2b7588b6f1eac76a001e873ae3e19d  build-1.2.1.tar.gz
 a14d6cca50a51eff2c418fc3f8e887cd31a3233a6b465451fd57074e232d7c4c  flit_core-2.3.0-py2.py3-none-any.whl
 a50bcd8bf5785e3a7d95434244f30ba693e794c5204ac1ee908fc07c4acdbf80  flit_core-2.3.0.tar.gz
+5b9ab0f0009e02f80bb59c27d57a3cf160cca6375d074cafd0ea84f0d342be31  flit_core-3.9.0-py3-none-any.whl
+72ad266176c4a3fcfab5f2930d76896059851240570ce9a98733b658cb786eba  flit_core-3.9.0.tar.gz
 44698376bc57a48290dc82bfdc20d339684856b24d6b8c3760b284de4eebc498  packaging-20.9-py2.py3-none-any.whl
 5b327ac1320dc863dca72f4514ecc086f31186744b84a230374cc1fd776feae5  packaging-20.9.tar.gz
+a5d5fa1aaade614246beb5d96d7bf502a03bbd2373ed4a4fc70eed3e7ce790a0  packaging-24.1-py3-none-any.whl
+026ed72c8ed3fcce5bf8950572258698927fd1dbda10a5e981cdf0ac37f4f002  packaging-24.1.tar.gz
 bfe04a1859fd3cbd3bc2a1ffd2a6dbf30e912bf7fc36ed55d4c838d642c55934  pep517-0.9.1-py2.py3-none-any.whl
 aeb78601f2d1aa461960b43add204cc7955667687fbcf9cdb5170f00556f117f  pep517-0.9.1.tar.gz
 f266816461e421e2bbdb61e6e122d01fe638b5710698879ab283cc456aabd1d1  pip-21.0.1-py3-none-any.whl
 99bbde183ec5ec037318e774b0d8ae0a64352fe53b2c7fd630be1d07e94f41e5  pip-21.0.1.tar.gz
 6934731b2bc2162636cf88173c73bf2318d78fe5793be14f5d4634a526fdb5c2  pip-21.3.1-py3-none-any.whl
 fd11ba3d0fdb4c07fbc5ecbba0b1b719809420f25038f8ee3cd913d3faa3033a  pip-21.3.1.tar.gz
+45941b49b443d67e8f2c820b4fa9d4aa916326f897abfa1068914f1b0ebc6eb2  pip-24.1.2-py3-none-any.whl
+e5458a0b89f2755e0ee8c0c77613fe5273e05f337907874d64f13171a898a7ff  pip-24.1.2.tar.gz
 4d00a1a6d2bf41a459fa6f47d41a1c5d157715283c2dc4a4b291972037bc9620  pyparsing-2.4.7-py2.py3-none-any.whl
 c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1  pyparsing-2.4.7.tar.gz
+1058f6b6ac3f83e7220aef532e4357ce45416160b270c787788975d32ed11eb1  pyproject_hooks-1.1.0-py3-none-any.whl
+4b37730834edbd6bd37f26ece6b44802fb1c1ee2ece0e54ddff8bfc06db86965  pyproject_hooks-1.1.0.tar.gz
 ca3f58ff4957e8be6c54c55d575b235725cbbcf4dc0d5091c29c6444cfc8a5fe  pytest-runner-5.3.0.tar.gz
 3084ada00452395171c8f10199d2b5d3b74c6948518c2b6bd75e948c77ca2280  pytest_runner-5.3.0-py3-none-any.whl
 97e4f6bd5d1d2a32f82d5c6ec9bb90a1b60db3af81b6427ee9a5949021d56d7b  pytoml-0.1.21-py2.py3-none-any.whl
 8eecf7c8d0adcff3b375b09fe403407aa9b645c499e5ab8cac670ac4a35f61e7  pytoml-0.1.21.tar.gz
 d55810b08ce4cef4d4e354e4fc1013c435abf3a9712daa4f48dcfc8694f4722f  setuptools-54.0.0-py3-none-any.whl
 34efee89c4c879204f5739ec6d9d3635195b0b7d2b51e25c9261a327367ec5ff  setuptools-54.0.0.tar.gz
+663e40f0f62eed3ee04ec66d5a8bb2c36a365b98639bf52f050a2a857a704e38  setuptools-70.3.0-py3-none-any.whl
+f171bab1dfbc86b132997f26a119f6056a57950d058587841a0082e8830f9dc5  setuptools-70.3.0.tar.gz
 96d120093688708a75155802077cc3fefd4352b2b5e30386821e86bbc4c8c402  setuptools_scm-5.0.2-py2.py3-none-any.whl
 83a0cedd3449e3946307811a4c7b9d89c4b5fd464a2fb5eeccd0a5bb158ae5c8  setuptools_scm-5.0.2.tar.gz
+ed687948d45961dba39e0931955234cce9e42fcfc3da1c8a635c2abbebd1d15e  setuptools_scm-8.1.0-py3-none-any.whl
+42dea1b65771cba93b7a515d65a65d8246e560768a66b9106a592c8e7f26c8a7  setuptools_scm-8.1.0.tar.gz
 931471fdf4a532e4095922de7eb81ef13da584d91af4f93e2e7284b29f56a65b  toml-0.10.2-py2.py3-none-any.whl
 b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f  toml-0.10.2.tar.gz
 870fcd67bd55da8e73be17468e970d365ad926ac9c5fee0e00ad778019c579d9  wheel-0.36.2-py2.py3-none-any.whl

diff --git a/workstation-bootstrap/sha256sums.txt.asc b/workstation-bootstrap/sha256sums.txt.asc
@@ -1,16 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 
-iQIzBAABCgAdFiEEg9DHSm9f9xHUeVQP4MkLmHLhbXMFAmV3qcYACgkQ4MkLmHLh
-bXNN3w/8DFUAUII261AhYbO/7VryxUrHy0HnzfejNw8/jDyGzSLd9IHKvJGdl8YD
-2nFiKlY5a38xZYaymHqdp2/cncFwO3IIuNAXWeLI+ucoD4Wj0yr+kOfwSbHMoEiS
-ff88v+QUad+Z6AfJh36ADQZ7r1oDOeBnNg481hRT0OqEutMLpK9EsVUqtGHhAKyj
-XPFbSk5XbGQuuEJ5ROX8QBHZ8Rkfzlc+Ir1QreV0W0RDIP811l6xoru0xevPa5RL
-HlK7lRfb574upHny5OaElxFEVJpe8Yv/STpwjHS6dvdslmnJvGOiMdMSmccDpch3
-wX56+/nAMyH9JD2CrpJrrS6qMAOhHljSLyN9wZA1SGlXxX30Hf7YkqrqOfHXf9yL
-cieTmEVWKZakxVRNi3MTuyu3fpXTBl8HLn5FDSuXQTv8SH0L6KbFndKicoNDtXx8
-aACYZEV3zIkAtd2pdoFUYoicHi3v7AwDSYRXPbrDaGWMYJYlaMAbvSSuNLFsJLZH
-1365vvCXZ9l1oA55U0xbeMmYPvjLHmI7Nhk/auA24B5ajG0Cq70bLhJuoobTZjtC
-crdL/UY42XuMsjCvLa7+7uNCcQFJL1va/Gw5hAr+qhj1ud+9KWiN0Kzbghk54Vao
-7wXFJXDFW5MOGVJQ9z2tlV3oNSTeeRZz6yjtGQ/ylEmUnVz0J68=
-=zu+Q
+iQIzBAABCAAdFiEE2MtZ8F27ngU4xIGd8QX4EBsFJpsFAmaeeMcACgkQ8QX4EBsF
+JpuLvw//ae7xNktqI9L/AqlueVgtR0dgdG9tM673LA9QB2jw+7keokum3b6CcPhK
+P1dZzk784TvVwvGGne8uJEHwsnKNGcI0e57/70S8WIs4hj2dqjO8zfWXknLdnYTn
+/K9BVBWsadgyL0vODb43cDQJs6R9HhBUChUMEZF3dozIuGTBmC2jKSMYVfoXt2+E
+wgJWWPSdJ/1dTzrK8tF8OSpN67r3MqrKKcfvHpxADadyFuu7y+JvUmwfA0XHd61I
+svFBaG4r3/vNgg+OYYI6fR9SUfVVwWfUWJtmwzfWii8pqE1f2JbdMHqqPQ69WxXB
+rrJcofrgtB460v0JYADz+MqNM2Wun/WzxONNnO78ZT7Cdq+tQrWprTYVcjNZGXc0
+hVowICVoUKUrblm4zMlNRQ9dQxJU3UCbIUcx67FXdYFqpt6MW/u9/0gkUNJlT1QP
+U1qjz6v23yTx1iZRPfLV6Oks72L95WvpTfXXePJ2ihsz7J3bPyjLPLYKUGukU7Lo
+36Zkz7mHTJ6iu1OYSGByNVHAy/bszLllpuXAfNlGakuDb9a5wvrUGgPXRB4IC3eq
+JcL1rp+T/cQBd2tosCqTdoYZPQoaln0/cij/iYpX6JpYTsurNc3mPOZltjSaMrV8
+DtK2YZ6y+4QcHeHWa1m0H4/c98EGqKxinWPtreeGu6hlf0fgZxs=
+=OGDn
 -----END PGP SIGNATURE-----
diff --git a/workstation-bootstrap/wheels/build-1.2.1-py3-none-any.whl b/workstation-bootstrap/wheels/build-1.2.1-py3-none-any.whl
diff --git a/workstation-bootstrap/wheels/build-1.2.1.tar.gz b/workstation-bootstrap/wheels/build-1.2.1.tar.gz
diff --git a/workstation-bootstrap/wheels/flit_core-3.9.0-py3-none-any.whl b/workstation-bootstrap/wheels/flit_core-3.9.0-py3-none-any.whl