From 668a4542956dce8c81ebb619e776cfdbbbb56a25 Mon Sep 17 00:00:00 2001 From: Adrian Moennich Date: Wed, 9 Nov 2022 16:31:25 +0100 Subject: [PATCH] Update (most) Python deps --- CHANGES.rst | 13 +++++++++++ requirements.dev.txt | 38 ++++++++++++++++---------------- requirements.in | 6 ++--- requirements.txt | 52 ++++++++++++++++++++++---------------------- 4 files changed, 61 insertions(+), 48 deletions(-) diff --git a/CHANGES.rst b/CHANGES.rst index f359d46bbe7..1fb986717eb 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -7,6 +7,19 @@ Version 3.2.1 *Unreleased* +Security fixes +^^^^^^^^^^^^^^ + +- Update `cryptography `_ library due to + vulnerabilities in OpenSSL (CVE-2022-3602, CVE-2022-3786) + +.. note:: + + We do not think that Indico is affected by those vulnerabilities as it does + not use the *cryptography* library itself, and the dependency that uses it + is only used during SSO (OAuth) logins and most likely in a way that is not + vulnerable. It is nonetheless recommended to update as soon as possible. + Internationalization ^^^^^^^^^^^^^^^^^^^^ diff --git a/requirements.dev.txt b/requirements.dev.txt index e0b1eafa50c..1091c1a6758 100644 --- a/requirements.dev.txt +++ b/requirements.dev.txt @@ -23,7 +23,7 @@ babel==2.10.3 # via # -c requirements.txt # sphinx -build==0.8.0 +build==0.9.0 # via pip-tools certifi==2022.9.24 # via @@ -40,9 +40,9 @@ click==8.1.3 # flask-url-map-serializer # pip-tools # pyquotes -colorama==0.4.5 +colorama==0.4.6 # via sphinx-autobuild -coverage[toml]==6.4.4 +coverage[toml]==6.5.0 # via pytest-cov deprecated==1.2.13 # via @@ -53,6 +53,8 @@ docutils==0.17.1 # plantweb # sphinx # sphinx-rtd-theme +exceptiongroup==1.0.1 + # via pytest flake8==5.0.4 # via # -r requirements.dev.in @@ -67,7 +69,7 @@ flask-url-map-serializer==0.0.1 # via -r requirements.dev.in freezegun==1.2.2 # via -r requirements.dev.in -greenlet==1.1.3 +greenlet==2.0.1 # via # -c requirements.txt # sqlalchemy @@ -81,7 +83,7 @@ idna==3.4 # requests imagesize==1.4.1 # via sphinx -importlib-metadata==4.12.0 +importlib-metadata==5.0.0 # via # -c requirements.txt # flask @@ -126,7 +128,7 @@ parso==0.8.3 # pyquotes pep517==0.13.0 # via build -pip-tools==6.8.0 +pip-tools==6.9.0 # via -r requirements.dev.in plantweb==1.2.1 # via -r requirements.dev.in @@ -134,10 +136,8 @@ pluggy==1.0.0 # via pytest port-for==0.6.2 # via pytest-redis -psutil==5.9.2 +psutil==5.9.4 # via mirakuru -py==1.11.0 - # via pytest pycodestyle==2.9.1 # via flake8 pyflakes==2.5.0 @@ -153,7 +153,7 @@ pyparsing==3.0.9 # packaging pyquotes==1.0.0 # via -r requirements.dev.in -pytest==7.1.3 +pytest==7.2.0 # via # -r requirements.dev.in # pytest-cov @@ -164,7 +164,7 @@ pytest-cov==4.0.0 # via -r requirements.dev.in pytest-localserver[smtp]==0.7.0 # via -r requirements.dev.in -pytest-mock==3.9.0 +pytest-mock==3.10.0 # via -r requirements.dev.in pytest-redis==2.4.0 # via -r requirements.dev.in @@ -174,11 +174,11 @@ python-dateutil==2.8.2 # via # -c requirements.txt # freezegun -pytz==2022.2.1 +pytz==2022.6 # via # -c requirements.txt # babel -pyupgrade==2.38.2 +pyupgrade==3.2.0 # via -r requirements.dev.in pywatchman==1.4.1 ; python_version < "3.10" # via -r requirements.dev.in @@ -203,7 +203,7 @@ six==1.16.0 # sqlbag snowballstemmer==2.2.0 # via sphinx -sphinx==5.2.2 +sphinx==5.3.0 # via # -r requirements.dev.in # sphinx-autobuild @@ -213,7 +213,7 @@ sphinx-autobuild==2021.3.14 # via -r requirements.dev.in sphinx-issues==3.0.1 # via -r requirements.dev.in -sphinx-rtd-theme==1.0.0 +sphinx-rtd-theme==1.1.1 # via -r requirements.dev.in sphinxcontrib-applehelp==1.0.2 # via sphinx @@ -227,7 +227,7 @@ sphinxcontrib-qthelp==1.0.3 # via sphinx sphinxcontrib-serializinghtml==1.1.5 # via sphinx -sqlalchemy==1.4.41 +sqlalchemy==1.4.43 # via # -c requirements.txt # schemainspect @@ -236,7 +236,7 @@ sqlbag==0.1.1617247075 # via migra sqlparse==0.4.3 # via -r requirements.dev.in -tokenize-rt==4.2.1 +tokenize-rt==5.0.0 # via pyupgrade tomli==2.0.1 # via @@ -255,13 +255,13 @@ werkzeug==2.2.2 # -c requirements.txt # flask # pytest-localserver -wheel==0.37.1 +wheel==0.38.3 # via pip-tools wrapt==1.14.1 # via # -c requirements.txt # deprecated -zipp==3.8.1 +zipp==3.10.0 # via # -c requirements.txt # importlib-metadata diff --git a/requirements.in b/requirements.in index 9db64c1b137..4d69b031abc 100644 --- a/requirements.in +++ b/requirements.in @@ -1,6 +1,6 @@ alembic authlib -babel +babel<2.11 # big update, not right before a release bcrypt bleach[css] blinker @@ -19,12 +19,12 @@ flask-marshmallow flask-migrate flask-multipass flask-pluginengine -flask-sqlalchemy +flask-sqlalchemy<3 # separate PR: https://github.com/indico/indico/pull/5522 flask-webpackext flask-wtf flask html2text -icalendar +icalendar<5 # major update, not right before a release indico-fonts ipython itsdangerous diff --git a/requirements.txt b/requirements.txt index f231b453fc6..853246d2fc1 100644 --- a/requirements.txt +++ b/requirements.txt @@ -10,7 +10,7 @@ alembic==1.8.1 # flask-migrate amqp==5.1.1 # via kombu -asttokens==2.0.8 +asttokens==2.1.0 # via # sentry-sdk # stack-data @@ -26,7 +26,7 @@ babel==2.10.3 # flask-babel backcall==0.2.0 # via ipython -bcrypt==4.0.0 +bcrypt==4.0.1 # via -r requirements.in billiard==3.6.4.0 # via celery @@ -73,7 +73,7 @@ colorclass==2.2.2 # via -r requirements.in commonmark==0.9.1 # via rich -cryptography==38.0.1 +cryptography==38.0.3 # via authlib decorator==5.1.1 # via ipython @@ -81,7 +81,7 @@ deprecated==1.2.13 # via # limits # redis -distro==1.7.0 +distro==1.8.0 # via -r requirements.in dnspython==2.2.1 # via email-validator @@ -89,7 +89,7 @@ email-validator==1.2.1 # via # -r requirements.in # wtforms -executing==1.1.0 +executing==1.2.0 # via # sentry-sdk # stack-data @@ -113,7 +113,7 @@ flask-babel==2.0.0 # via -r requirements.in flask-caching==2.0.1 # via -r requirements.in -flask-limiter==2.6.3 +flask-limiter==2.7.0 # via -r requirements.in flask-marshmallow==0.14.0 # via -r requirements.in @@ -131,7 +131,7 @@ flask-webpackext==1.0.2 # via -r requirements.in flask-wtf==1.0.1 # via -r requirements.in -greenlet==1.1.3 +greenlet==2.0.1 # via sqlalchemy hiredis==2.0.0 # via redis @@ -145,13 +145,13 @@ idna==3.4 # via # email-validator # requests -importlib-metadata==4.12.0 +importlib-metadata==5.0.0 # via # flask # markdown indico-fonts==1.1 # via -r requirements.in -ipython==8.5.0 +ipython==8.6.0 # via -r requirements.in itsdangerous==2.1.2 # via @@ -166,11 +166,11 @@ jinja2==3.1.2 # flask # flask-babel # flask-pluginengine -jsonschema==4.16.0 +jsonschema==4.17.0 # via -r requirements.in kombu==5.2.4 # via celery -limits==2.7.0 +limits==2.7.1 # via flask-limiter lxml[html5]==4.9.1 # via @@ -196,7 +196,7 @@ marshmallow==3.18.0 # marshmallow-oneofschema # marshmallow-sqlalchemy # webargs -marshmallow-dataclass[enum]==8.5.8 +marshmallow-dataclass[enum]==8.5.9 # via -r requirements.in marshmallow-enum==1.5.1 # via @@ -226,17 +226,17 @@ pexpect==4.8.0 # via ipython pickleshare==0.7.5 # via ipython -pillow==9.2.0 +pillow==9.3.0 # via # -r requirements.in # captcha # reportlab -prompt-toolkit==3.0.31 +prompt-toolkit==3.0.32 # via # -r requirements.in # click-repl # ipython -psycopg2==2.9.3 +psycopg2==2.9.5 # via -r requirements.in ptyprocess==0.7.0 # via pexpect @@ -259,9 +259,9 @@ pynpm==0.1.2 # pywebpack pyparsing==3.0.9 # via packaging -pypdf2==2.11.0 +pypdf2==2.11.1 # via -r requirements.in -pyrsistent==0.18.1 +pyrsistent==0.19.2 # via jsonschema python-dateutil==2.8.2 # via @@ -269,7 +269,7 @@ python-dateutil==2.8.2 # feedgen # icalendar # wtforms-dateutil -pytz==2022.2.1 +pytz==2022.6 # via # -r requirements.in # babel @@ -288,13 +288,13 @@ redis[hiredis]==4.3.4 # via # -r requirements.in # celery -reportlab==3.6.11 +reportlab==3.6.12 # via -r requirements.in requests==2.28.1 # via -r requirements.in -rich==12.5.1 +rich==12.6.0 # via flask-limiter -sentry-sdk[celery,flask,pure_eval,sqlalchemy]==1.9.9 +sentry-sdk[celery,flask,pure_eval,sqlalchemy]==1.10.1 # via -r requirements.in simplejson==3.17.6 # via -r requirements.in @@ -308,7 +308,7 @@ six==1.16.0 # python-dateutil speaklater==1.3 # via -r requirements.in -sqlalchemy==1.4.41 +sqlalchemy==1.4.43 # via # -r requirements.in # alembic @@ -316,19 +316,19 @@ sqlalchemy==1.4.41 # marshmallow-sqlalchemy # sentry-sdk # wtforms-sqlalchemy -stack-data==0.5.1 +stack-data==0.6.0 # via ipython terminaltables==3.1.10 # via -r requirements.in tinycss2==1.1.1 # via bleach -traitlets==5.4.0 +traitlets==5.5.0 # via # ipython # matplotlib-inline translitcodec==0.7.0 # via -r requirements.in -typing-extensions==4.3.0 +typing-extensions==4.4.0 # via # flask-limiter # limits @@ -374,7 +374,7 @@ wtforms-sqlalchemy==0.3 # via -r requirements.in xlsxwriter==3.0.3 # via -r requirements.in -zipp==3.8.1 +zipp==3.10.0 # via importlib-metadata # The following packages are considered to be unsafe in a requirements file: