Bump the pip group across 1 directory with 7 updates#1
Bump the pip group across 1 directory with 7 updates#1dependabot[bot] wants to merge 1 commit intomasterfrom
Conversation
Bumps the pip group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [django](https://github.com/django/django) | `1.9.12` | `4.2.24` | | [djangorestframework](https://github.com/encode/django-rest-framework) | `3.5.3` | `3.15.2` | | [pymongo](https://github.com/mongodb/mongo-python-driver) | `3.4.0` | `4.6.3` | | [requests](https://github.com/psf/requests) | `2.12.4` | `2.32.4` | | [gunicorn](https://github.com/benoitc/gunicorn) | `19.6.0` | `23.0.0` | | [gevent](https://github.com/gevent/gevent) | `1.2.0` | `23.9.0` | | [wheel](https://github.com/pypa/wheel) | `0.29.0` | `0.38.1` | Updates `django` from 1.9.12 to 4.2.24 - [Commits](django/django@1.9.12...4.2.24) Updates `djangorestframework` from 3.5.3 to 3.15.2 - [Release notes](https://github.com/encode/django-rest-framework/releases) - [Commits](encode/django-rest-framework@3.5.3...3.15.2) Updates `pymongo` from 3.4.0 to 4.6.3 - [Release notes](https://github.com/mongodb/mongo-python-driver/releases) - [Changelog](https://github.com/mongodb/mongo-python-driver/blob/master/doc/changelog.rst) - [Commits](mongodb/mongo-python-driver@3.4.0...4.6.3) Updates `requests` from 2.12.4 to 2.32.4 - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.12.4...v2.32.4) Updates `gunicorn` from 19.6.0 to 23.0.0 - [Release notes](https://github.com/benoitc/gunicorn/releases) - [Commits](benoitc/gunicorn@19.6.0...23.0.0) Updates `gevent` from 1.2.0 to 23.9.0 - [Release notes](https://github.com/gevent/gevent/releases) - [Changelog](https://github.com/gevent/gevent/blob/master/docs/changelog_1_2.rst) - [Commits](gevent/gevent@1.2.0...23.9.0) Updates `wheel` from 0.29.0 to 0.38.1 - [Release notes](https://github.com/pypa/wheel/releases) - [Changelog](https://github.com/pypa/wheel/blob/main/docs/news.rst) - [Commits](pypa/wheel@0.29.0...0.38.1) --- updated-dependencies: - dependency-name: django dependency-version: 4.2.24 dependency-type: direct:production dependency-group: pip - dependency-name: djangorestframework dependency-version: 3.15.2 dependency-type: direct:production dependency-group: pip - dependency-name: pymongo dependency-version: 4.6.3 dependency-type: direct:production dependency-group: pip - dependency-name: requests dependency-version: 2.32.4 dependency-type: direct:production dependency-group: pip - dependency-name: gunicorn dependency-version: 23.0.0 dependency-type: direct:production dependency-group: pip - dependency-name: gevent dependency-version: 23.9.0 dependency-type: direct:production dependency-group: pip - dependency-name: wheel dependency-version: 0.38.1 dependency-type: direct:production dependency-group: pip ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
WalkthroughUpdated versions in requirements.txt for Django, DRF, pymongo, requests, and deployment tools (gunicorn, gevent, wheel). No files other than requirements.txt were changed. No new dependencies were added. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Pre-merge checks (2 passed, 1 inconclusive)❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
Poem
Warning Review ran into problems🔥 ProblemsErrors were encountered while retrieving linked issues. Errors (1)
✨ Finishing Touches🧪 Generate unit tests
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
requirements.txt (2)
29-34: Migrate tests off nose/django-nose to pytest
- Remove nose, django-nose and related plugins from requirements.txt (lines 29–34) and add pytest>=8 and pytest-django>=4.8:
- yanc==0.3.3 - nose==1.3.7 - nose-exclude==0.5.0 - nose-timer==0.6.0 - django-nose==1.4.4 + pytest>=8 + pytest-django>=4.8- Remove TEST_RUNNER = 'django_nose.NoseTestSuiteRunner' and NOSE_ARGS from settings.py and refactor all nose.tools imports in tests to use pytest’s assertions or Python’s unittest.
23-25: Update code and settings before migrating to boto3-backed storage• boto v2 is still in use – imports in
– amon/apps/cloudservers/api.py:7–8 (import boto.ec2)
– amon/apps/cloudservers/apicalls.py:1–2 (import boto.ec2,from boto.exception import EC2ResponseError)
• apache-libcloud is used in apicalls (amon/apps/cloudservers/apicalls.py:7–8)
• No django-storages backends or DEFAULT_FILE_STORAGE configured in amon/settings.py; either remove unused django-storages or add and configurestorages.backends.s3boto3.S3Boto3Storagebefore bumping todjango-storages[boto3]Cannot safely remove
boto==2.xorapache-libcloudfrom requirements or upgradedjango-storageswithout refactoring these code paths.
🧹 Nitpick comments (3)
requirements.txt (3)
11-11: pytz pin from 2016 is outdated; Django 4 encourages zoneinfo.Either upgrade pytz to a current release or migrate to Python’s zoneinfo (preferred) and drop the pin.
Possible diff (if retaining pytz):
-pytz==2016.10 +pytz>=2024.2
27-27: pip>=9.0 is very old for resolving this set of pins.Use a modern pip to avoid resolver edge cases and to get better metadata handling.
-pip>=9.0 +pip>=23
2-19: Plan and gate the upgrade: split into staged PRs with CI gates.
- Stage 1: Replace insecure/obsolete deps (pycrypto → pycryptodome, boto→boto3, modern django-storages), update test stack.
- Stage 2: Upgrade to Django 3.2 LTS + DRF mid-version, fix deprecations.
- Stage 3: Upgrade to Django 4.2 LTS + DRF 3.15, address remaining breaks.
I can generate a migration checklist and a tox/pytest matrix to run Django 3.2 and 4.2 side-by-side. Want me to open a follow-up issue?
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
requirements.txt(1 hunks)
🔇 Additional comments (4)
requirements.txt (4)
12-12: Requests bump looks safe.No known app-level breaking changes between 2.12 → 2.32 for typical usage.
19-19: Wheel bump: low risk.Fine to update build tooling.
18-18: Confirm gevent worker applies monkey-patching
No explicitgevent.monkey.patch_*calls detected; since you’ve switched to the gevent Gunicorn worker (gunicorn.conf: worker_class='gevent'), verify it applies the necessary DNS/SSL patches and thatgreenletis installed. Re-test graceful shutdowns under load and consider adding an explicitgevent.monkey.patch_all()in your app bootstrap if needed.
17-17: Gunicorn 23 upgrade: config flags unchanged. gunicorn.conf only definesbind,workers, andworker_class='gevent'—all supported in v23. Validate gevent worker operation after upgrading.
| @@ -1,22 +1,22 @@ | |||
| beautifulsoup4==4.5.1 | |||
| Django==1.9.12 | |||
| Django==4.2.24 | |||
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Django 1.9 → 4.2 jump is breaking; expect install/boot failures without coordinated app/code upgrades.
- Very likely resolver conflicts with old Django add-ons here (e.g., django-timezone-field==2.0, django-storages==1.5.1, django-nose, etc.), and runtime breakages (urls, middleware, settings, translations, timezone handling). Do not auto-merge.
Quick grep to surface high-risk Django 1.x patterns to fix:
🏁 Script executed:
#!/bin/bash
rg -nP -C2 '\burl\s*\(|MIDDLEWARE_CLASSES|django\.core\.urlresolvers|ugettext(_lazy)?\(|patterns\(|TEMPLATES.*' .Length of output: 265818
Block merge: refactor legacy Django 1.x code before upgrading to Django 4.2.24
- Replace all
patterns()/url()usages anddjango.core.urlresolversimports (e.g. in amon/urls.py, templatetags/baseurl.py, apps/*/urls.py) withpath()/re_path()anddjango.urls - Change
MIDDLEWARE_CLASSEStoMIDDLEWAREin settings.py - Swap all
ugettext/ugettext_lazycalls togettext/gettext_lazy - Audit third-party packages (django-timezone-field, django-storages, django-nose, etc.) and ensure they support Django 4.x
Do not merge until all breaking changes are addressed.
🤖 Prompt for AI Agents
In requirements.txt around lines 2 to 2, the PR upgrades Django to 4.2.24 but
legacy Django 1.x patterns remain; before merging, refactor all code to be
Django 4.x compatible: replace any uses of patterns()/url() and imports from
django.core.urlresolvers with path()/re_path() and django.urls (check
amon/urls.py, apps/*/urls.py, templatetags/baseurl.py), rename
MIDDLEWARE_CLASSES to MIDDLEWARE in settings.py and migrate middleware ordering
accordingly, replace ugettext/ugettext_lazy with gettext/gettext_lazy throughout
the codebase, and audit/upgrade or replace third‑party packages (e.g.,
django-timezone-field, django-storages, django-nose) to versions that explicitly
support Django 4.x or remove incompatible ones; run the test suite and fix any
deprecations/compatibility errors before merging.
| django-kronos==1.0 | ||
| django-timezone-field==2.0 | ||
| djangorestframework==3.5.3 | ||
| djangorestframework==3.15.2 |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
DRF 3.15 requires modern Django and has multiple breaking changes vs 3.5.
- Expect breaks around pagination classes, exceptions, schema generation (coreapi removal), request.data vs deprecated request.DATA, renderer settings.
Search for removed/changed DRF API:
🏁 Script executed:
#!/bin/bash
rg -nP -C2 'request\.DATA|request\.QUERY_PARAMS|coreapi|SchemaGenerator|PageNumberPagination\(|DEFAULT_PAGINATION_CLASS|BrowsableAPIRenderer|is_authenticated\(\)' --type=pyLength of output: 1361
Update is_authenticated() calls to the boolean property
- Replace all instances of
request.user.is_authenticated()withrequest.user.is_authenticatedin:
• amon/apps/users/decorators.py:9
• amon/apps/api/permissions.py:22
• amon/apps/charts/context_processors.py:11
• amon/apps/account/middleware.py:22 - After refactoring, audit for other DRF 3.15 breaking changes (pagination defaults, exception APIs, CoreAPI/schema removal,
request.DATA→request.data, renderer settings).
🤖 Prompt for AI Agents
In requirements.txt around line 6 and in the codebase files
amon/apps/users/decorators.py:9, amon/apps/api/permissions.py:22,
amon/apps/charts/context_processors.py:11, and
amon/apps/account/middleware.py:22, replace calls to
request.user.is_authenticated() with the boolean property
request.user.is_authenticated; run a repo-wide search for any remaining
.is_authenticated() and update them similarly, then run tests. After that, audit
for DRF 3.15 breaking changes and fix usages: replace request.DATA with
request.data, adjust pagination default settings to the new API if relying on
defaults, update any exception handler signatures to the new DRF APIs,
remove/replace CoreAPI/schema usages with the supported schema generators, and
verify renderer settings in REST_FRAMEWORK config; run the test suite and linter
to confirm no regressions.
|
|
||
| pyaml==16.12.2 | ||
| pymongo==3.4.0 | ||
| pymongo==4.6.3 |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
PyMongo 4.x removes legacy APIs; high risk of data-layer breakage.
- Removed/changed: collection.count(), ensure_index(), remove(), find_and_modify(), Cursor.count().
Find usages to migrate:
🏁 Script executed:
#!/bin/bash
rg -nP -C2 '\.count\(|ensure_index\(|remove\(|find_and_modify\(|authenticate\(|map_reduce\(' --type=pyLength of output: 140952
Migrate deprecated PyMongo legacy APIs before upgrading to 4.x
Multiple occurrences of removed/changed PyMongo methods were found—must replace them with their modern equivalents to avoid data‐layer breakage.
- ensure_index() → create_index()
- collection.remove(filter) → delete_one(filter) / delete_many(filter)
- find().count() / Cursor.count() → count_documents(filter)
- find_and_modify() → find_one_and_update() / find_one_and_delete()
- collection.count() → count_documents({}) / estimated_document_count()
Run a global replace or audit in each model and test, updating calls to the above.
🤖 Prompt for AI Agents
In requirements.txt around lines 9 to 9, the project pins pymongo==4.6.3 which
requires migrating deprecated legacy PyMongo APIs; audit and update all
code/tests to replace ensure_index() with create_index(),
collection.remove(filter) with delete_one()/delete_many(), any find().count() or
Cursor.count() with count_documents(filter), find_and_modify() with
find_one_and_update()/find_one_and_delete(), and collection.count() with
count_documents({}) or estimated_document_count(); perform a global
search/replace across models and tests, run the test suite, and fix any
remaining call signatures or returned-value differences accordingly.
| pytz==2016.10 | ||
| requests==2.12.4 | ||
| requests==2.32.4 | ||
| pycrypto==2.6.1 |
There was a problem hiding this comment.
pycrypto is abandoned with critical CVEs — replace immediately.
Switch to PyCryptodome (drop-in for most cases).
Apply this diff:
-pycrypto==2.6.1
+pycryptodome>=3.10📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| pycrypto==2.6.1 | |
| pycryptodome>=3.10 |
🤖 Prompt for AI Agents
In requirements.txt at line 13 replace the abandoned vulnerable pycrypto==2.6.1
with a maintained drop-in replacement (e.g. pycryptodome>=3.17.0); remove the
pycrypto entry, add pycryptodome, run pip install/update and CI/tests to ensure
imports still work (PyCryptodome provides the same Crypto namespace in most
cases) and ensure no conflicting pycrypto remains in the environment.
Bumps the pip group with 7 updates in the / directory:
1.9.124.2.243.5.33.15.23.4.04.6.32.12.42.32.419.6.023.0.01.2.023.9.00.29.00.38.1Updates
djangofrom 1.9.12 to 4.2.24Commits
5e23d89[4.2.x] Bumped version for 4.2.24 release.31334e6[4.2.x] Fixed CVE-2025-57833 -- Protected FilteredRelation against SQL inject...d5860d5[4.2.x] Added stub release notes and release date for 4.2.24.c3f9871[4.2.x] Fixed #36499 -- Adjusted utils_tests.test_html.TestUtilsHtml.test_str...2a79837[4.2.x] Fixed test_utils.tests.HTMLEqualTests.test_parsing_errors following P...7335a1a[4.2.x] Refs #36535 -- Doc'd that docutils < 0.22 is required.591b23a[4.2.x] Fixed GitHub Action that checks commit prefixes to fetch PR head corr...0c9ab35[4.2.x] Added GitHub Action to enforce stable branch commit message prefix.8293b0f[4.2.x] Added follow-up to CVE-2025-48432 to security archive.bc4d96c[4.2.x] Post-release version bump.Updates
djangorestframeworkfrom 3.5.3 to 3.15.2Release notes
Sourced from djangorestframework's releases.
... (truncated)
Commits
c7a7eaeVersion 3.15.2 (#9439)3b41f01Fix potential XSS vulnerability in break_long_headers template filter (#9435)fe92f0dAdd__hash__method forpermissions.OperandHolderclass (#9417)fbdab09docs: Correct some evaluation results and a httpie option in Tutorial1 (#9421)36d5c0etests: Check urlpatterns after cleanups (#9400)9d4ed05Don't use Windows line endingsb34bde4Fix typo in setup.cfg settingab681f2Update requirements in docs2237724bump pygments (security hygiene)d58b8daUpdate deprecation hintsUpdates
pymongofrom 3.4.0 to 4.6.3Release notes
Sourced from pymongo's releases.
... (truncated)
Changelog
Sourced from pymongo's changelog.
... (truncated)
Commits
8da192fBUMP 4.6.356b6b6dPYTHON-4305 Fix bson size check (#1564)449d0f3BUMP to 4.6.3.dev0e04576dDEVPROD-3871 Use teardown_task when there is one function/command (#1533)cf1c6a1PYTHON-4219 Prep for 4.6.2 Release (#1530)d29b2b7PYTHON-4147 [v4.6]: Silence noisy thread.start() RuntimeError at shutdown (#1...0477b9bPYTHON-4077 [v4.6]: Ensure there is a MacOS wheel for Python 3.7 (#1527)ecad17dBUMP 4.6.2.dev0485e0a5BUMP 4.6.1995365cPYTHON-4038 [v4.6]: Ensure retryable readOperationFailures re-raise except...Updates
requestsfrom 2.12.4 to 2.32.4Release notes
Sourced from requests's releases.
... (truncated)
Changelog
Sourced from requests's changelog.
... (truncated)
Commits
021dc72Polish up release tooling for last manual release821770eBump version and add release notes for v2.32.459f8aa2Add netrc file search information to authentication documentation (#6876)5b4b64cAdd more tests to prevent regression of CVE 2024 470817bc4587Add new test to check netrc auth leak (#6962)96ba401Only use hostname to do netrc lookup instead of netloc7341690Merge pull request #6951 from tswast/patch-16716d7cremove linksa7e1c74Update docs/conf.pyc799b81docs: fix dead links to kenreitz.orgUpdates
gunicornfrom 19.6.0 to 23.0.0Release notes
Sourced from gunicorn's releases.
... (truncated)
Commits
411986dfix doc334392eMerge pull request #2559 from laggardkernel/bugfix/reexec-enve75c353Merge pull request #3189 from pajod/patch-py369357b28keep document user in access_log_format setting79fdef0bump to 23.0.03acd9fbMerge pull request #2620 from talkerbox/improve-access-log-format-docs3f56d76Merge pull request #3192 from pajod/patch-allowed-script-name256d474docs: revert duped directiveffa48b5test: default change was intentional52538cadocs: recommend SCRIPT_NAME=/subfolderUpdates
geventfrom 1.2.0 to 23.9.0Changelog
Sourced from gevent's changelog.
... (truncated)
Commits
693181ePreparing release 23.9.06fc7898Set the cython version; go back to default wheel tags.666e374Had the constraint wrong.74ef876Tweaking the build, and it seems like the greenlet stack issue should be fixed.b652e2aError handling adjustments from running under a debug build.70e7318Tweaking tests and comments; temporary workarounds for 3.12 to enable builds.495e37aWorkaround the 3.12 traceback issue again.2f53c85gevent.pywsgi: Much improved handling of chunk trailers.bb06d2dTest builds with greenlet assertions enabled.6b22af0pyproject.toml: Bump to latest cython.Updates
wheelfrom 0.29.0 to 0.38.1Changelog
Sourced from wheel's changelog.
... (truncated)
Commits
6f1608dCreated a new releasecf8f5efMoved news item from PR #484 to its proper place9ec2016Removed install dependency on setuptools (#483)747e1f6Fixed PyPy SOABI parsing (#484)7627548[pre-commit.ci] pre-commit autoupdate (#480)7b9e8e1Test on Python 3.11 finala04dfefUpdated the pypi-publish action94bb62cFixed docs not building due to code style changesd635664Updated the codecov action to the latest versionfcb94cdUpdated version to match the releaseDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.
Summary by CodeRabbit