Bumped the urllib3 and requests modules from dependabot alerts #695
Conversation
|
🚲 PR staged at http://104.155.186.123 |
There was a problem hiding this comment.
I don't see any changes to the requirements.in files; were the changes to the requirements.txt files made manually? We shouldn't touch those directly and instead use the .in as input to pip-compile. The reason we want to do this is for transitive-dependency purposes. e.g. bumping requests or urllib3 might in turn bump some transitive dependency requirements. Rather than chase them manually, you just let pip-compile do it for you!
|
Oh yes! I will update accordingly!! |
|
🚲 PR staged at http://104.155.186.123 |
|
🚲 PR staged at http://104.155.186.123 |
There was a problem hiding this comment.
Thanks for address these 2 Dependabot alerts — even loadgenerator!
Changes look good to me — seems like the requirements.txt files are now untouched.
I did a quick smoke test of the staging URL. Looks good.
…eCloudPlatform#695) * Bumped the urllib3 and requests modules from dependabot alerts * Bumped emailservice and loadgenerator * Ran pip compile
…eCloudPlatform#695) * Bumped the urllib3 and requests modules from dependabot alerts * Bumped emailservice and loadgenerator * Ran pip compile
Background
Dependabot alerts for urllib3 indicating
high severityin our email and recommendation serviceFixes
Relevant CVE description here
Change Summary
I bumped the urllib3 module to 1.26.5 and had to bump the requests module (to v2.27.1) as well to accommodate the bump in the emailservice, recommendationservice, and loadgenerator (the loadgenerator alert was closed earlier)
Additional Notes
n/a
Testing Procedure
Tested it locally, images built, and worked as expected!
Related PRs or Issues
n/a