-
Notifications
You must be signed in to change notification settings - Fork 6.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bumped the urllib3 and requests modules from dependabot alerts #695
Conversation
🚲 PR staged at http://104.155.186.123 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see any changes to the requirements.in
files; were the changes to the requirements.txt
files made manually? We shouldn't touch those directly and instead use the .in
as input to pip-compile
. The reason we want to do this is for transitive-dependency purposes. e.g. bumping requests
or urllib3
might in turn bump some transitive dependency requirements. Rather than chase them manually, you just let pip-compile
do it for you!
Oh yes! I will update accordingly!! |
🚲 PR staged at http://104.155.186.123 |
🚲 PR staged at http://104.155.186.123 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for address these 2 Dependabot alerts — even loadgenerator!
Changes look good to me — seems like the requirements.txt
files are now untouched.
I did a quick smoke test of the staging URL. Looks good.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
…eCloudPlatform#695) * Bumped the urllib3 and requests modules from dependabot alerts * Bumped emailservice and loadgenerator * Ran pip compile
…eCloudPlatform#695) * Bumped the urllib3 and requests modules from dependabot alerts * Bumped emailservice and loadgenerator * Ran pip compile
Background
Dependabot alerts for urllib3 indicating
high severity
in our email and recommendation serviceFixes
Relevant CVE description here
Change Summary
I bumped the urllib3 module to 1.26.5 and had to bump the requests module (to v2.27.1) as well to accommodate the bump in the emailservice, recommendationservice, and loadgenerator (the loadgenerator alert was closed earlier)
Additional Notes
n/a
Testing Procedure
Tested it locally, images built, and worked as expected!
Related PRs or Issues
n/a