Merge pull request #153 from oslokommune/upgrade-cryptography

Upgrade `cryptography`
oslokommune · Nov 8, 2023 · ec9cc44 · ec9cc44
2 parents 9726f88 + ee89674
commit ec9cc44
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 6 deletions.
diff --git a/requirements.txt b/requirements.txt
@@ -27,9 +27,10 @@ cffi==1.16.0
     #   okdata-maskinporten-api (setup.py)
 charset-normalizer==2.0.4
     # via requests
-cryptography==3.4.8
+cryptography==41.0.4
     # via
     #   authlib
+    #   okdata-maskinporten-api (setup.py)
     #   pyopenssl
 ecdsa==0.14.1
     # via python-jose
@@ -68,9 +69,9 @@ pyjwt==2.8.0
     # via
     #   okdata-maskinporten-api (setup.py)
     #   okdata-sdk
-pyopenssl==20.0.1
+pyopenssl==23.2.0
     # via okdata-maskinporten-api (setup.py)
-pyrsistent==0.17.3
+pyrsistent==0.19.3
     # via jsonschema
 python-dateutil==2.8.1
     # via botocore
@@ -99,7 +100,6 @@ six==1.15.0
     # via
     #   ecdsa
     #   jsonschema
-    #   pyopenssl
     #   python-dateutil
 sniffio==1.3.0
     # via anyio
@@ -118,7 +118,7 @@ urllib3==1.26.18
     #   botocore
     #   python-keycloak
     #   requests
-wrapt==1.12.1
+wrapt==1.15.0
     # via aws-xray-sdk
 
 # The following packages are considered to be unsafe in a requirements file:

diff --git a/serverless.yaml b/serverless.yaml
@@ -111,6 +111,7 @@ custom:
     dockerizePip: non-linux
     dockerImage: public.ecr.aws/sam/build-python3.10:latest
     slim: true
+    pipCmdExtraArgs: ['--platform', 'manylinux2014_x86_64', '--only-binary=:all:']
     usePoetry: false
   prune:
     automatic: true

diff --git a/setup.py b/setup.py
@@ -24,13 +24,17 @@
         # Not needed directly (it's required by `pyopenssl`), but require
         # version 1.15.0 or higher explicitly in order to support Python 3.10+.
         "cffi>=1.15.0,<2",
+        # Not needed directly (it's required by `pyopenssl`), but require
+        # version 41.0.4 or higher explicitly in order to mitigate a bunch of
+        # security issues.
+        "cryptography>=41.0.4,<42",
         "fastapi>=0.95.2",
         "mangum>=0.12.4,<1",
         "okdata-aws>=1.0.1,<2.0.0",
         "okdata-resource-auth>=0.1.4",
         "pydantic>=1.10,<2",
         "pyjwt>=2.7,<3",
-        "pyopenssl",
+        "pyopenssl>=23.2.0,<24",
         # Not needed directly (it's required by `python-keycloak`), but require
         # version 3.3.0 or higher explicitly to silence some deprecation
         # warnings.