Merge pull request #4665 from rmol/4379-update-urllib3

Update urllib3 to 1.25.3
freedomofpress · Aug 21, 2019 · a9087a2 · a9087a2
2 parents 97481eb + 53d0e7b
commit a9087a2
Show file tree

Hide file tree

Showing 11 changed files with 46 additions and 38 deletions.
diff --git a/admin/requirements-dev.in b/admin/requirements-dev.in
@@ -4,11 +4,10 @@ flake8
 flaky
 mock
 pbr
-pip-tools>=3.5.0,<4
+pip-tools>=4.0.0
 pylint
 pytest
-requests
+requests>=2.22.0
 tox
 pexpect
-# Needed for requests. Minimum version due to CVE-2018-20060
-urllib3>=1.23
+urllib3>=1.25.3
diff --git a/admin/requirements-dev.txt b/admin/requirements-dev.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile
 # To update, run:
 #
-#    pip-compile --generate-hashes --output-file requirements-dev.txt requirements-dev.in
+#    pip-compile --generate-hashes --output-file=requirements-dev.txt requirements-dev.in
 #
 astroid==1.6.0 \
     --hash=sha256:71dadba2110008e2c03f9fde662ddd2053db3c0489d0e03c94e828a0399edd4f \
@@ -134,9 +134,9 @@ pbr==3.1.1 \
 pexpect==4.5.0 \
     --hash=sha256:9783f4644a3ef8528a6f20374eeb434431a650c797ca6d8df0d81e30fffdfa24 \
     --hash=sha256:9f8eb3277716a01faafaba553d629d3d60a1a624c7cf45daa600d2148c30020c
-pip-tools==3.5.0 \
-    --hash=sha256:0018485119986aebef136470c51bde85da736732079c687ab1d4c5eb5237e694 \
-    --hash=sha256:a395ca8bb32bcaea58c8da89a2518793d88b43b15152217ba117c4170e507af9
+pip-tools==4.0.0 \
+    --hash=sha256:3b9fb8948340eff5869ac83dc85e3a7c62b837cec33609c45c48c2e5aa740ba5 \
+    --hash=sha256:44469037863c3587b4c565caf258e2c752d4235c508cf8410a69164bb65ffc78
 pluggy==0.6.0 \
     --hash=sha256:7f8ae7f5bdf75671a718d2daf0a64b7885f74510bcd98b1a0bb420eb9a9d0cff \
     --hash=sha256:d345c8fe681115900d6da8d048ba67c25df42973bda370783cd58826442dcd7c \
@@ -164,9 +164,9 @@ pylint==1.8.1 \
 pytest==3.3.1 \
     --hash=sha256:ae4a2d0bae1098bbe938ecd6c20a526d5d47a94dc42ad7331c9ad06d0efe4962 \
     --hash=sha256:cf8436dc59d8695346fcd3ab296de46425ecab00d64096cebe79fb51ecb2eb93
-requests==2.20.0 \
-    --hash=sha256:99dcfdaaeb17caf6e526f32b6a7b780461512ab3f1d992187801694cba42770c \
-    --hash=sha256:a84b8c9ab6239b578f22d1c21d51b696dcfe004032bb80ea832398d6909d7279
+requests==2.22.0 \
+    --hash=sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4 \
+    --hash=sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31
 singledispatch==3.4.0.3 \
     --hash=sha256:5b06af87df13818d14f08a028e42f566640aef80805c3b50c5056b086e3c2b9c \
     --hash=sha256:833b46966687b3de7f438c761ac475213e53b306740f1abfaa86e1d1aae56aa8 \
@@ -178,13 +178,17 @@ six==1.11.0 \
 tox==2.9.1 \
     --hash=sha256:752f5ec561c6c08c5ecb167d3b20f4f4ffc158c0ab78855701a75f5cef05f4b8 \
     --hash=sha256:8af30fd835a11f3ff8e95176ccba5a4e60779df4d96a9dfefa1a1704af263225
-urllib3==1.23 \
-    --hash=sha256:a68ac5e15e76e7e5dd2b8f94007233e01effe3e50e8daddf69acfd81cb686baf \
-    --hash=sha256:b5725a0bd4ba422ab0e66e89e030c806576753ea3ee08554382c14e685d117b5
+urllib3==1.25.3 \
+    --hash=sha256:b246607a25ac80bedac05c6f282e3cdaf3afb65420fd024ac94435cabe6e18d1 \
+    --hash=sha256:dbe59173209418ae49d485b87d1681aefa36252ee85884c31346debd19463232
 virtualenv==15.1.0 \
     --hash=sha256:02f8102c2436bb03b3ee6dede1919d1dac8a427541652e5ec95171ec8adbc93a \
     --hash=sha256:39d88b533b422825d644087a21e78c45cf5af0ef7a99a1fc9fbb7b481e5c85b0 \
     # via tox
 wrapt==1.10.11 \
     --hash=sha256:d4d560d479f2c21e1b5443bbd15fe7ec4b37fe7e53d335d3b9b0a7b1226fe3c6 \
     # via astroid
+
+# WARNING: The following packages were not pinned, but pip requires them to be
+# pinned when the requirements file includes hashes. Consider using the --allow-unsafe flag.
+# setuptools==41.2.0        # via d2to1, pytest
diff --git a/admin/requirements.txt b/admin/requirements.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile
 # To update, run:
 #
-#    pip-compile --generate-hashes --output-file requirements.txt requirements.in requirements-ansible.in
+#    pip-compile --generate-hashes --output-file=requirements.txt requirements-ansible.in requirements.in
 #
 ansible==2.6.14 \
     --hash=sha256:412f130f4c5d1953ccd95f01b5a4675cbff4ba225762bafb74a2f3bb6c807827
@@ -170,3 +170,7 @@ wcwidth==0.1.7 \
     --hash=sha256:3df37372226d6e63e1b1e1eda15c594bca98a22d33a23832a90998faa96bc65e \
     --hash=sha256:f4ebe71925af7b40a864553f761ed559b43544f8f71746c2d756c7fe788ade7c \
     # via prompt-toolkit
+
+# WARNING: The following packages were not pinned, but pip requires them to be
+# pinned when the requirements file includes hashes. Consider using the --allow-unsafe flag.
+# setuptools==41.2.0        # via ansible
diff --git a/securedrop/requirements/python2/develop-requirements.in b/securedrop/requirements/python2/develop-requirements.in
@@ -12,7 +12,7 @@ molecule>=2.20.1
 # Needed for ansible network filter
 # http://docs.ansible.com/ansible/latest/playbooks_filters_ipaddr.html
 netaddr
-pip-tools>=3.8.0,<4
+pip-tools>=4.0.0
 pyenchant
 pylint
 pytest-xdist
@@ -23,5 +23,5 @@ sphinx-autobuild
 sphinx_rtd_theme
 testinfra
 # Needed for requests. Minimum version due to CVE-2018-20060
-urllib3>=1.23
+urllib3>=1.25.3
 yamllint
diff --git a/securedrop/requirements/python2/develop-requirements.txt b/securedrop/requirements/python2/develop-requirements.txt
@@ -71,7 +71,7 @@ pathspec==0.5.5           # via yamllint
 pathtools==0.1.2          # via sphinx-autobuild, watchdog
 pbr==5.1.1                # via git-url-parse, molecule, python-gilt, stevedore
 pexpect==4.6.0            # via molecule
-pip-tools==3.8.0
+pip-tools==4.0.0
 port-for==0.3.1           # via sphinx-autobuild
 poyo==0.4.1               # via cookiecutter
 psutil==5.4.6             # via molecule
@@ -93,7 +93,7 @@ python-gilt==1.2.1        # via molecule
 python-vagrant==0.5.15
 pytz==2017.2              # via babel
 pyyaml==3.13              # via ansible, ansible-lint, bandit, dparse, molecule, python-gilt, sphinx-autobuild, watchdog, yamllint
-requests==2.20.0          # via cookiecutter, docker-py, safety, sphinx
+requests==2.22.0          # via cookiecutter, docker-py, safety, sphinx
 ruamel.ordereddict==0.4.13  # via ruamel.yaml
 ruamel.yaml==0.15.97      # via ansible-lint
 s3transfer==0.1.12        # via boto3
@@ -114,13 +114,13 @@ testinfra==1.19.0
 tornado==4.5.1            # via livereload, sphinx-autobuild
 tree-format==0.1.2        # via molecule
 typing==3.6.6             # via flake8, sphinx
-urllib3==1.23
+urllib3==1.25.3
 watchdog==0.8.3           # via sphinx-autobuild
 websocket-client==0.44.0  # via docker-py
 whichcraft==0.4.1         # via cookiecutter
 wrapt==1.10.11            # via astroid
 yamllint==1.11.1
 
 # The following packages are considered to be unsafe in a requirements file:
-# pip==19.1.1               # via safety
-# setuptools==41.0.1        # via ansible, pytest, sphinx
+# pip==19.2.2               # via safety
+# setuptools==41.2.0        # via ansible, pytest, sphinx
diff --git a/securedrop/requirements/python2/test-requirements.in b/securedrop/requirements/python2/test-requirements.in
@@ -3,7 +3,7 @@ blinker
 Flask-Testing
 flaky
 mock
-pip-tools>=3.8.0,<4
+pip-tools>=4.0.0
 py
 pytest
 pytest-cov
@@ -13,3 +13,4 @@ requests[socks]>2.21.0
 selenium>=3.141.0
 tbselenium>=0.4.2
 pyvirtualdisplay
+urllib3>=1.25.3
diff --git a/securedrop/requirements/python2/test-requirements.txt b/securedrop/requirements/python2/test-requirements.txt
@@ -24,7 +24,7 @@ jinja2==2.10.1            # via flask
 markupsafe==1.0           # via jinja2
 mock==2.0.0
 pbr==3.1.1                # via mock
-pip-tools==3.8.0
+pip-tools==4.0.0
 pluggy==0.6.0             # via pytest
 py==1.5.2
 pysocks==1.6.8            # via requests
@@ -36,8 +36,8 @@ requests[socks]==2.22.0
 selenium==3.141.0
 six==1.11.0               # via mock, pip-tools, pytest
 tbselenium==0.4.2
-urllib3==1.24.1           # via requests, selenium
+urllib3==1.25.3
 werkzeug==0.14.1          # via flask
 
 # The following packages are considered to be unsafe in a requirements file:
-# setuptools==41.0.1        # via pytest
+# setuptools==41.2.0        # via pytest
diff --git a/securedrop/requirements/python3/develop-requirements.in b/securedrop/requirements/python3/develop-requirements.in
@@ -12,7 +12,7 @@ mypy
 # Needed for ansible network filter
 # http://docs.ansible.com/ansible/latest/playbooks_filters_ipaddr.html
 netaddr
-pip-tools>=3.8.0,<4
+pip-tools>=4.0.0
 pyenchant
 pylint
 pytest-xdist
@@ -22,6 +22,5 @@ sphinx
 sphinx-autobuild
 sphinx_rtd_theme
 testinfra
-# Needed for requests. Minimum version due to CVE-2018-20060
-urllib3>=1.23
+urllib3>=1.25.3
 yamllint
diff --git a/securedrop/requirements/python3/develop-requirements.txt b/securedrop/requirements/python3/develop-requirements.txt
@@ -65,7 +65,7 @@ pathspec==0.5.5           # via yamllint
 pathtools==0.1.2          # via sphinx-autobuild, watchdog
 pbr==5.1.1                # via git-url-parse, molecule, python-gilt, stevedore
 pexpect==4.6.0            # via molecule
-pip-tools==3.8.0
+pip-tools==4.0.0
 port_for==0.3.1           # via sphinx-autobuild
 poyo==0.4.1               # via cookiecutter
 psutil==5.4.6             # via molecule
@@ -87,7 +87,7 @@ python-gilt==1.2.1        # via molecule
 python-vagrant==0.5.15
 pytz==2017.2              # via babel
 pyyaml==3.13              # via ansible, ansible-lint, bandit, dparse, molecule, python-gilt, sphinx-autobuild, watchdog, yamllint
-requests==2.20.0          # via cookiecutter, docker-py, safety, sphinx
+requests==2.22.0          # via cookiecutter, docker-py, safety, sphinx
 ruamel.yaml==0.15.97      # via ansible-lint
 s3transfer==0.1.12        # via boto3
 safety==1.8.4
@@ -106,13 +106,13 @@ testinfra==1.19.0
 tornado==4.5.1            # via livereload, sphinx-autobuild
 tree-format==0.1.2        # via molecule
 typed-ast==1.3.5          # via mypy
-urllib3==1.23
+urllib3==1.25.3
 watchdog==0.8.3           # via sphinx-autobuild
 websocket-client==0.44.0  # via docker-py
 whichcraft==0.4.1         # via cookiecutter
 wrapt==1.10.11            # via astroid
 yamllint==1.11.1
 
 # The following packages are considered to be unsafe in a requirements file:
-# pip==19.1.1               # via safety
-# setuptools==41.0.1        # via ansible, pytest, sphinx
+# pip==19.2.2               # via safety
+# setuptools==41.2.0        # via ansible, pytest, sphinx
diff --git a/securedrop/requirements/python3/test-requirements.in b/securedrop/requirements/python3/test-requirements.in
@@ -3,7 +3,7 @@ blinker
 Flask-Testing
 flaky
 mock
-pip-tools>=3.8.0,<4
+pip-tools>=4.0.0
 py
 pytest
 pytest-cov
@@ -13,3 +13,4 @@ requests[socks]>2.21.0
 selenium>=3.141.0
 tbselenium>=0.4.2
 pyvirtualdisplay
+urllib3>=1.25.3
diff --git a/securedrop/requirements/python3/test-requirements.txt b/securedrop/requirements/python3/test-requirements.txt
@@ -26,7 +26,7 @@ mock==2.0.0
 more-itertools==7.1.0     # via pytest
 pathlib2==2.3.4           # via pytest
 pbr==3.1.1                # via mock
-pip-tools==3.8.0
+pip-tools==4.0.0
 pluggy==0.12.0            # via pytest
 py==1.5.2
 pysocks==1.6.8            # via requests
@@ -38,9 +38,9 @@ requests[socks]==2.22.0
 selenium==3.141.0
 six==1.11.0               # via mock, pathlib2, pip-tools, pytest
 tbselenium==0.4.2
-urllib3==1.24.1           # via requests, selenium
+urllib3==1.25.3
 werkzeug==0.14.1          # via flask
 zipp==0.5.1               # via importlib-metadata
 
 # The following packages are considered to be unsafe in a requirements file:
-# setuptools==41.0.1        # via pytest
+# setuptools==41.2.0        # via pytest