Update urllib3 to 1.25.3

[rmol]

Status

Work in progress

Description of Changes

Fixes #4379.

Admin also needed pip-tools==4.0.0 to work with pip>=19.2, which is added to the bootstrapped virtualenv.

Testing

Automated tests should suffice to get the new requirements installed and used.

Deployment

I think this is dev-only; it's updating requirements in the admin virtualenv (requests), but as far as I can tell they're only used in tests.

Checklist

If you made changes to the server application code:

• Linting (make lint) and tests (make -C securedrop test) pass in the development container

If you made changes to securedrop-admin:

• Linting and tests (make -C admin test) pass in the admin development container

[codecov-io]

Codecov Report

Merging #4665 into develop will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff            @@
##           develop    #4665   +/-   ##
========================================
  Coverage    82.67%   82.67%           
========================================
  Files           45       45           
  Lines         3122     3122           
  Branches       338      338           
========================================
  Hits          2581     2581           
  Misses         454      454           
  Partials        87       87

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update de8cbcf...1cc7f86. Read the comment docs.

[emkll]

Thanks @rmol . Hashes look good to me , and performed diff review based on the following version bumps, looks good to me.

• requests (2.20.0->2.22.0) : https://github.com/psf/requests/compare/v2.20.0..v2.22.0
• urllib (1.24.1->1.25.3): https://github.com/urllib3/urllib3/compare/1.24.1..1.25.3
• pip-tools 3.5.0 -> 4.0.0: https://github.com/jazzband/pip-tools/compare/3.5.0..4.0.0

I will test this PR functionally and will comment/approve.

[emkll]

✔️

[emkll]

✔️

[emkll]

Any idea why this warning is here? Is it due to the new version of pip-tools?

[rmol]

Yes. Since pip-compile refuses to hash setuptools unless given --allow-unsafe, if whatever version of setuptools was installed when the virtualenv was created needed to be upgraded to satisfy another package's dependencies, pip would fail.

There's some discussion on that issue suggesting that it would be safer to use --allow-unsafe to let pip-compile pin and hash setuptools. That makes sense to me, but that should probably be a separate PR, and maybe @kushaldas would like to weigh in here.

[emkll]

✔️

[emkll]

See comment inline regarding the discrepancy between python2/develop-requirements.txt changes and python3/develop-requirements.txt

I've uploaded the diffs of the source tarballs reviewed as part of this pr review (the GH links were for convenience) (thanks @kushaldas for the out-of-band reminder)

I've tested the staging scenario and everything functions correctly/all tests pass, CI as also passing (converge and verify).

I will approve this (but not merge), in case anyone has objections to using different versions of pip-tools in the python2 or python3 dev environments, they can feel free to comment on this ticket. Given the python2 environment should be rapidly deprecated after the release of 1.0.0, I think this is fine since these are dev/test requirements.

[emkll]

why was pip-tools updated here but not in python3 develop requirements?

[rmol]

That's a good question. Should we just standardize on pip-tools==4.0.0 everywhere?

[redshiftzero]

good to merge when CI passes

[redshiftzero]

restamping after rebase