From 2d3cf5b1c53dfd7c4e71f9a46cab0a6940f10a2f Mon Sep 17 00:00:00 2001 From: John Hensley Date: Fri, 9 Aug 2019 16:57:06 -0400 Subject: [PATCH 1/2] Update urllib3 to 1.25.3 Admin also needed pip-tools==4.0.0 to work with pip>=19.2, which is added to the bootstrapped virtualenv. --- admin/requirements-dev.in | 7 +++--- admin/requirements-dev.txt | 24 +++++++++++-------- admin/requirements.txt | 6 ++++- .../python2/develop-requirements.in | 2 +- .../python2/develop-requirements.txt | 8 +++---- .../requirements/python2/test-requirements.in | 1 + .../python2/test-requirements.txt | 2 +- .../python3/develop-requirements.in | 3 +-- .../python3/develop-requirements.txt | 6 ++--- .../requirements/python3/test-requirements.in | 1 + .../python3/test-requirements.txt | 2 +- 11 files changed, 35 insertions(+), 27 deletions(-) diff --git a/admin/requirements-dev.in b/admin/requirements-dev.in index bacdd28456..466806ac6a 100644 --- a/admin/requirements-dev.in +++ b/admin/requirements-dev.in @@ -4,11 +4,10 @@ flake8 flaky mock pbr -pip-tools>=3.5.0,<4 +pip-tools>=4.0.0 pylint pytest -requests +requests>=2.22.0 tox pexpect -# Needed for requests. Minimum version due to CVE-2018-20060 -urllib3>=1.23 +urllib3>=1.25.3 diff --git a/admin/requirements-dev.txt b/admin/requirements-dev.txt index 5249512984..ba2025ce75 100644 --- a/admin/requirements-dev.txt +++ b/admin/requirements-dev.txt @@ -2,7 +2,7 @@ # This file is autogenerated by pip-compile # To update, run: # -# pip-compile --generate-hashes --output-file requirements-dev.txt requirements-dev.in +# pip-compile --generate-hashes --output-file=requirements-dev.txt requirements-dev.in # astroid==1.6.0 \ --hash=sha256:71dadba2110008e2c03f9fde662ddd2053db3c0489d0e03c94e828a0399edd4f \ @@ -134,9 +134,9 @@ pbr==3.1.1 \ pexpect==4.5.0 \ --hash=sha256:9783f4644a3ef8528a6f20374eeb434431a650c797ca6d8df0d81e30fffdfa24 \ --hash=sha256:9f8eb3277716a01faafaba553d629d3d60a1a624c7cf45daa600d2148c30020c -pip-tools==3.5.0 \ - --hash=sha256:0018485119986aebef136470c51bde85da736732079c687ab1d4c5eb5237e694 \ - --hash=sha256:a395ca8bb32bcaea58c8da89a2518793d88b43b15152217ba117c4170e507af9 +pip-tools==4.0.0 \ + --hash=sha256:3b9fb8948340eff5869ac83dc85e3a7c62b837cec33609c45c48c2e5aa740ba5 \ + --hash=sha256:44469037863c3587b4c565caf258e2c752d4235c508cf8410a69164bb65ffc78 pluggy==0.6.0 \ --hash=sha256:7f8ae7f5bdf75671a718d2daf0a64b7885f74510bcd98b1a0bb420eb9a9d0cff \ --hash=sha256:d345c8fe681115900d6da8d048ba67c25df42973bda370783cd58826442dcd7c \ @@ -164,9 +164,9 @@ pylint==1.8.1 \ pytest==3.3.1 \ --hash=sha256:ae4a2d0bae1098bbe938ecd6c20a526d5d47a94dc42ad7331c9ad06d0efe4962 \ --hash=sha256:cf8436dc59d8695346fcd3ab296de46425ecab00d64096cebe79fb51ecb2eb93 -requests==2.20.0 \ - --hash=sha256:99dcfdaaeb17caf6e526f32b6a7b780461512ab3f1d992187801694cba42770c \ - --hash=sha256:a84b8c9ab6239b578f22d1c21d51b696dcfe004032bb80ea832398d6909d7279 +requests==2.22.0 \ + --hash=sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4 \ + --hash=sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31 singledispatch==3.4.0.3 \ --hash=sha256:5b06af87df13818d14f08a028e42f566640aef80805c3b50c5056b086e3c2b9c \ --hash=sha256:833b46966687b3de7f438c761ac475213e53b306740f1abfaa86e1d1aae56aa8 \ @@ -178,9 +178,9 @@ six==1.11.0 \ tox==2.9.1 \ --hash=sha256:752f5ec561c6c08c5ecb167d3b20f4f4ffc158c0ab78855701a75f5cef05f4b8 \ --hash=sha256:8af30fd835a11f3ff8e95176ccba5a4e60779df4d96a9dfefa1a1704af263225 -urllib3==1.23 \ - --hash=sha256:a68ac5e15e76e7e5dd2b8f94007233e01effe3e50e8daddf69acfd81cb686baf \ - --hash=sha256:b5725a0bd4ba422ab0e66e89e030c806576753ea3ee08554382c14e685d117b5 +urllib3==1.25.3 \ + --hash=sha256:b246607a25ac80bedac05c6f282e3cdaf3afb65420fd024ac94435cabe6e18d1 \ + --hash=sha256:dbe59173209418ae49d485b87d1681aefa36252ee85884c31346debd19463232 virtualenv==15.1.0 \ --hash=sha256:02f8102c2436bb03b3ee6dede1919d1dac8a427541652e5ec95171ec8adbc93a \ --hash=sha256:39d88b533b422825d644087a21e78c45cf5af0ef7a99a1fc9fbb7b481e5c85b0 \ @@ -188,3 +188,7 @@ virtualenv==15.1.0 \ wrapt==1.10.11 \ --hash=sha256:d4d560d479f2c21e1b5443bbd15fe7ec4b37fe7e53d335d3b9b0a7b1226fe3c6 \ # via astroid + +# WARNING: The following packages were not pinned, but pip requires them to be +# pinned when the requirements file includes hashes. Consider using the --allow-unsafe flag. +# setuptools==41.0.1 # via d2to1, pytest diff --git a/admin/requirements.txt b/admin/requirements.txt index ab462da482..0459e6803f 100644 --- a/admin/requirements.txt +++ b/admin/requirements.txt @@ -2,7 +2,7 @@ # This file is autogenerated by pip-compile # To update, run: # -# pip-compile --generate-hashes --output-file requirements.txt requirements.in requirements-ansible.in +# pip-compile --generate-hashes --output-file=requirements.txt requirements-ansible.in requirements.in # ansible==2.6.14 \ --hash=sha256:412f130f4c5d1953ccd95f01b5a4675cbff4ba225762bafb74a2f3bb6c807827 @@ -170,3 +170,7 @@ wcwidth==0.1.7 \ --hash=sha256:3df37372226d6e63e1b1e1eda15c594bca98a22d33a23832a90998faa96bc65e \ --hash=sha256:f4ebe71925af7b40a864553f761ed559b43544f8f71746c2d756c7fe788ade7c \ # via prompt-toolkit + +# WARNING: The following packages were not pinned, but pip requires them to be +# pinned when the requirements file includes hashes. Consider using the --allow-unsafe flag. +# setuptools==41.0.1 # via ansible diff --git a/securedrop/requirements/python2/develop-requirements.in b/securedrop/requirements/python2/develop-requirements.in index c4ce5d0463..066cc5fcd6 100644 --- a/securedrop/requirements/python2/develop-requirements.in +++ b/securedrop/requirements/python2/develop-requirements.in @@ -23,5 +23,5 @@ sphinx-autobuild sphinx_rtd_theme testinfra # Needed for requests. Minimum version due to CVE-2018-20060 -urllib3>=1.23 +urllib3>=1.25.3 yamllint diff --git a/securedrop/requirements/python2/develop-requirements.txt b/securedrop/requirements/python2/develop-requirements.txt index d66fc8d4b3..cc4efcb0c0 100644 --- a/securedrop/requirements/python2/develop-requirements.txt +++ b/securedrop/requirements/python2/develop-requirements.txt @@ -71,7 +71,7 @@ pathspec==0.5.5 # via yamllint pathtools==0.1.2 # via sphinx-autobuild, watchdog pbr==5.1.1 # via git-url-parse, molecule, python-gilt, stevedore pexpect==4.6.0 # via molecule -pip-tools==3.8.0 +pip-tools==3.9.0 port-for==0.3.1 # via sphinx-autobuild poyo==0.4.1 # via cookiecutter psutil==5.4.6 # via molecule @@ -93,7 +93,7 @@ python-gilt==1.2.1 # via molecule python-vagrant==0.5.15 pytz==2017.2 # via babel pyyaml==3.13 # via ansible, ansible-lint, bandit, dparse, molecule, python-gilt, sphinx-autobuild, watchdog, yamllint -requests==2.20.0 # via cookiecutter, docker-py, safety, sphinx +requests==2.22.0 # via cookiecutter, docker-py, safety, sphinx ruamel.ordereddict==0.4.13 # via ruamel.yaml ruamel.yaml==0.15.97 # via ansible-lint s3transfer==0.1.12 # via boto3 @@ -114,7 +114,7 @@ testinfra==1.19.0 tornado==4.5.1 # via livereload, sphinx-autobuild tree-format==0.1.2 # via molecule typing==3.6.6 # via flake8, sphinx -urllib3==1.23 +urllib3==1.25.3 watchdog==0.8.3 # via sphinx-autobuild websocket-client==0.44.0 # via docker-py whichcraft==0.4.1 # via cookiecutter @@ -122,5 +122,5 @@ wrapt==1.10.11 # via astroid yamllint==1.11.1 # The following packages are considered to be unsafe in a requirements file: -# pip==19.1.1 # via safety +# pip==19.2.1 # via safety # setuptools==41.0.1 # via ansible, pytest, sphinx diff --git a/securedrop/requirements/python2/test-requirements.in b/securedrop/requirements/python2/test-requirements.in index 083c2b82e5..ed41cff966 100644 --- a/securedrop/requirements/python2/test-requirements.in +++ b/securedrop/requirements/python2/test-requirements.in @@ -13,3 +13,4 @@ requests[socks]>2.21.0 selenium>=3.141.0 tbselenium>=0.4.2 pyvirtualdisplay +urllib3>=1.25.3 diff --git a/securedrop/requirements/python2/test-requirements.txt b/securedrop/requirements/python2/test-requirements.txt index 52db3c44e0..7ca2c8c7b5 100644 --- a/securedrop/requirements/python2/test-requirements.txt +++ b/securedrop/requirements/python2/test-requirements.txt @@ -36,7 +36,7 @@ requests[socks]==2.22.0 selenium==3.141.0 six==1.11.0 # via mock, pip-tools, pytest tbselenium==0.4.2 -urllib3==1.24.1 # via requests, selenium +urllib3==1.25.3 werkzeug==0.14.1 # via flask # The following packages are considered to be unsafe in a requirements file: diff --git a/securedrop/requirements/python3/develop-requirements.in b/securedrop/requirements/python3/develop-requirements.in index 2cfb75651f..b7a5b5080e 100644 --- a/securedrop/requirements/python3/develop-requirements.in +++ b/securedrop/requirements/python3/develop-requirements.in @@ -22,6 +22,5 @@ sphinx sphinx-autobuild sphinx_rtd_theme testinfra -# Needed for requests. Minimum version due to CVE-2018-20060 -urllib3>=1.23 +urllib3>=1.25.3 yamllint diff --git a/securedrop/requirements/python3/develop-requirements.txt b/securedrop/requirements/python3/develop-requirements.txt index 9c4c70ab99..c3292beda1 100644 --- a/securedrop/requirements/python3/develop-requirements.txt +++ b/securedrop/requirements/python3/develop-requirements.txt @@ -87,7 +87,7 @@ python-gilt==1.2.1 # via molecule python-vagrant==0.5.15 pytz==2017.2 # via babel pyyaml==3.13 # via ansible, ansible-lint, bandit, dparse, molecule, python-gilt, sphinx-autobuild, watchdog, yamllint -requests==2.20.0 # via cookiecutter, docker-py, safety, sphinx +requests==2.22.0 # via cookiecutter, docker-py, safety, sphinx ruamel.yaml==0.15.97 # via ansible-lint s3transfer==0.1.12 # via boto3 safety==1.8.4 @@ -106,7 +106,7 @@ testinfra==1.19.0 tornado==4.5.1 # via livereload, sphinx-autobuild tree-format==0.1.2 # via molecule typed-ast==1.3.5 # via mypy -urllib3==1.23 +urllib3==1.25.3 watchdog==0.8.3 # via sphinx-autobuild websocket-client==0.44.0 # via docker-py whichcraft==0.4.1 # via cookiecutter @@ -114,5 +114,5 @@ wrapt==1.10.11 # via astroid yamllint==1.11.1 # The following packages are considered to be unsafe in a requirements file: -# pip==19.1.1 # via safety +# pip==19.2.1 # via safety # setuptools==41.0.1 # via ansible, pytest, sphinx diff --git a/securedrop/requirements/python3/test-requirements.in b/securedrop/requirements/python3/test-requirements.in index 083c2b82e5..ed41cff966 100644 --- a/securedrop/requirements/python3/test-requirements.in +++ b/securedrop/requirements/python3/test-requirements.in @@ -13,3 +13,4 @@ requests[socks]>2.21.0 selenium>=3.141.0 tbselenium>=0.4.2 pyvirtualdisplay +urllib3>=1.25.3 diff --git a/securedrop/requirements/python3/test-requirements.txt b/securedrop/requirements/python3/test-requirements.txt index e4943f8415..abf3cb7a75 100644 --- a/securedrop/requirements/python3/test-requirements.txt +++ b/securedrop/requirements/python3/test-requirements.txt @@ -38,7 +38,7 @@ requests[socks]==2.22.0 selenium==3.141.0 six==1.11.0 # via mock, pathlib2, pip-tools, pytest tbselenium==0.4.2 -urllib3==1.24.1 # via requests, selenium +urllib3==1.25.3 werkzeug==0.14.1 # via flask zipp==0.5.1 # via importlib-metadata From 53d0e7b68f932d445dd49f7dfaa9167b93fc5f18 Mon Sep 17 00:00:00 2001 From: John Hensley Date: Wed, 21 Aug 2019 10:34:57 -0400 Subject: [PATCH 2/2] Update to pip-tools 4.0.0 everywhere --- admin/requirements-dev.txt | 2 +- admin/requirements.txt | 2 +- securedrop/requirements/python2/develop-requirements.in | 2 +- securedrop/requirements/python2/develop-requirements.txt | 6 +++--- securedrop/requirements/python2/test-requirements.in | 2 +- securedrop/requirements/python2/test-requirements.txt | 4 ++-- securedrop/requirements/python3/develop-requirements.in | 2 +- securedrop/requirements/python3/develop-requirements.txt | 6 +++--- securedrop/requirements/python3/test-requirements.in | 2 +- securedrop/requirements/python3/test-requirements.txt | 4 ++-- 10 files changed, 16 insertions(+), 16 deletions(-) diff --git a/admin/requirements-dev.txt b/admin/requirements-dev.txt index ba2025ce75..8e4761a5dd 100644 --- a/admin/requirements-dev.txt +++ b/admin/requirements-dev.txt @@ -191,4 +191,4 @@ wrapt==1.10.11 \ # WARNING: The following packages were not pinned, but pip requires them to be # pinned when the requirements file includes hashes. Consider using the --allow-unsafe flag. -# setuptools==41.0.1 # via d2to1, pytest +# setuptools==41.2.0 # via d2to1, pytest diff --git a/admin/requirements.txt b/admin/requirements.txt index 0459e6803f..c6f4324bfc 100644 --- a/admin/requirements.txt +++ b/admin/requirements.txt @@ -173,4 +173,4 @@ wcwidth==0.1.7 \ # WARNING: The following packages were not pinned, but pip requires them to be # pinned when the requirements file includes hashes. Consider using the --allow-unsafe flag. -# setuptools==41.0.1 # via ansible +# setuptools==41.2.0 # via ansible diff --git a/securedrop/requirements/python2/develop-requirements.in b/securedrop/requirements/python2/develop-requirements.in index 066cc5fcd6..6ce9fe8a54 100644 --- a/securedrop/requirements/python2/develop-requirements.in +++ b/securedrop/requirements/python2/develop-requirements.in @@ -12,7 +12,7 @@ molecule>=2.20.1 # Needed for ansible network filter # http://docs.ansible.com/ansible/latest/playbooks_filters_ipaddr.html netaddr -pip-tools>=3.8.0,<4 +pip-tools>=4.0.0 pyenchant pylint pytest-xdist diff --git a/securedrop/requirements/python2/develop-requirements.txt b/securedrop/requirements/python2/develop-requirements.txt index cc4efcb0c0..6a8fc9e1ed 100644 --- a/securedrop/requirements/python2/develop-requirements.txt +++ b/securedrop/requirements/python2/develop-requirements.txt @@ -71,7 +71,7 @@ pathspec==0.5.5 # via yamllint pathtools==0.1.2 # via sphinx-autobuild, watchdog pbr==5.1.1 # via git-url-parse, molecule, python-gilt, stevedore pexpect==4.6.0 # via molecule -pip-tools==3.9.0 +pip-tools==4.0.0 port-for==0.3.1 # via sphinx-autobuild poyo==0.4.1 # via cookiecutter psutil==5.4.6 # via molecule @@ -122,5 +122,5 @@ wrapt==1.10.11 # via astroid yamllint==1.11.1 # The following packages are considered to be unsafe in a requirements file: -# pip==19.2.1 # via safety -# setuptools==41.0.1 # via ansible, pytest, sphinx +# pip==19.2.2 # via safety +# setuptools==41.2.0 # via ansible, pytest, sphinx diff --git a/securedrop/requirements/python2/test-requirements.in b/securedrop/requirements/python2/test-requirements.in index ed41cff966..fffb61160c 100644 --- a/securedrop/requirements/python2/test-requirements.in +++ b/securedrop/requirements/python2/test-requirements.in @@ -3,7 +3,7 @@ blinker Flask-Testing flaky mock -pip-tools>=3.8.0,<4 +pip-tools>=4.0.0 py pytest pytest-cov diff --git a/securedrop/requirements/python2/test-requirements.txt b/securedrop/requirements/python2/test-requirements.txt index 7ca2c8c7b5..fd11a717fb 100644 --- a/securedrop/requirements/python2/test-requirements.txt +++ b/securedrop/requirements/python2/test-requirements.txt @@ -24,7 +24,7 @@ jinja2==2.10.1 # via flask markupsafe==1.0 # via jinja2 mock==2.0.0 pbr==3.1.1 # via mock -pip-tools==3.8.0 +pip-tools==4.0.0 pluggy==0.6.0 # via pytest py==1.5.2 pysocks==1.6.8 # via requests @@ -40,4 +40,4 @@ urllib3==1.25.3 werkzeug==0.14.1 # via flask # The following packages are considered to be unsafe in a requirements file: -# setuptools==41.0.1 # via pytest +# setuptools==41.2.0 # via pytest diff --git a/securedrop/requirements/python3/develop-requirements.in b/securedrop/requirements/python3/develop-requirements.in index b7a5b5080e..aef00e1d1d 100644 --- a/securedrop/requirements/python3/develop-requirements.in +++ b/securedrop/requirements/python3/develop-requirements.in @@ -12,7 +12,7 @@ mypy # Needed for ansible network filter # http://docs.ansible.com/ansible/latest/playbooks_filters_ipaddr.html netaddr -pip-tools>=3.8.0,<4 +pip-tools>=4.0.0 pyenchant pylint pytest-xdist diff --git a/securedrop/requirements/python3/develop-requirements.txt b/securedrop/requirements/python3/develop-requirements.txt index c3292beda1..9471850c66 100644 --- a/securedrop/requirements/python3/develop-requirements.txt +++ b/securedrop/requirements/python3/develop-requirements.txt @@ -65,7 +65,7 @@ pathspec==0.5.5 # via yamllint pathtools==0.1.2 # via sphinx-autobuild, watchdog pbr==5.1.1 # via git-url-parse, molecule, python-gilt, stevedore pexpect==4.6.0 # via molecule -pip-tools==3.8.0 +pip-tools==4.0.0 port_for==0.3.1 # via sphinx-autobuild poyo==0.4.1 # via cookiecutter psutil==5.4.6 # via molecule @@ -114,5 +114,5 @@ wrapt==1.10.11 # via astroid yamllint==1.11.1 # The following packages are considered to be unsafe in a requirements file: -# pip==19.2.1 # via safety -# setuptools==41.0.1 # via ansible, pytest, sphinx +# pip==19.2.2 # via safety +# setuptools==41.2.0 # via ansible, pytest, sphinx diff --git a/securedrop/requirements/python3/test-requirements.in b/securedrop/requirements/python3/test-requirements.in index ed41cff966..fffb61160c 100644 --- a/securedrop/requirements/python3/test-requirements.in +++ b/securedrop/requirements/python3/test-requirements.in @@ -3,7 +3,7 @@ blinker Flask-Testing flaky mock -pip-tools>=3.8.0,<4 +pip-tools>=4.0.0 py pytest pytest-cov diff --git a/securedrop/requirements/python3/test-requirements.txt b/securedrop/requirements/python3/test-requirements.txt index abf3cb7a75..9290aeb050 100644 --- a/securedrop/requirements/python3/test-requirements.txt +++ b/securedrop/requirements/python3/test-requirements.txt @@ -26,7 +26,7 @@ mock==2.0.0 more-itertools==7.1.0 # via pytest pathlib2==2.3.4 # via pytest pbr==3.1.1 # via mock -pip-tools==3.8.0 +pip-tools==4.0.0 pluggy==0.12.0 # via pytest py==1.5.2 pysocks==1.6.8 # via requests @@ -43,4 +43,4 @@ werkzeug==0.14.1 # via flask zipp==0.5.1 # via importlib-metadata # The following packages are considered to be unsafe in a requirements file: -# setuptools==41.0.1 # via pytest +# setuptools==41.2.0 # via pytest