pywbem · andy-maier · Nov 8, 2022 · Nov 1, 2022 · Nov 6, 2022 · Nov 8, 2022
diff --git a/Makefile b/Makefile
@@ -302,7 +302,9 @@ test_log_file := test_$(python_version_fn).log
 # - 50571 dparse (user safety) 0.4.1 -> 0.5.2, 0.5.1 -> 0.5.2.  ReDos issue
 # - 50885 Pygments 2.7.4 cannot be used on Python 2.7
 # - 50886 Pygments 2.7.4 cannot be used on Python 2.7
-
+# - 51499 Wheel CVE fix in version 0.38.0 yanked after release
+# - 51358 Safety, before 2.2.0 uses dparse with issue, python 2.7 max is 1.9.0
+# - 51457 py - Latest release has this safety issue i.e. <=1.11.0
 safety_ignore_opts := \
 	-i 38100 \
 	-i 38834 \
@@ -346,6 +348,9 @@ safety_ignore_opts := \
 	-i 50571 \
 	-i 50885 \
 	-i 50886 \
+	-i 51499 \
+	-i 51358 \
+	-i 51457 \
 
 ifdef TESTCASES
   pytest_opts := $(TESTOPTS) -k $(TESTCASES)

diff --git a/dev-requirements.txt b/dev-requirements.txt
@@ -45,16 +45,20 @@ coveralls>=2.1.2,<3.0.0; python_version >= '3.5'
 # Safety CI by pyup.io
 # safety 1.9.0 removed support for Python 2.7 (and now also enforces that)
 safety>=1.8.7,<1.9.0; python_version == '2.7'
-safety>=1.9.0; python_version >= '3.5'
+safety>=1.9.0,<2.0.0; python_version == '3.5'
+safety>=2.2.0; python_version >= '3.6'
 # dparse 0.5.0 has an infinite recursion issue on Python 2.7,
 #   see https://github.com/pyupio/dparse/issues/46
 dparse>=0.4.1,<0.5.0; python_version == '2.7'
-dparse>=0.5.2; python_version >= '3.5'
-# Safety requires Click>6.0 and the upgrade strategy 'eager' causes Click to be
-# upgraded to 8.0.0, unless we repeat the Click requirements from
-# requirements.txt. Keep them in sync.
+dparse>=0.5.2; python_version == '3.5'
+# ver 0.6.2 min requirement by safety 2.2.0
+dparse>=0.6.2; python_version >= '3.6'
+# Safety requires Click>=8.0.2.
+# Repeat the Click requirements from
+# requirements.txt. to keep them in sync.
 Click>=7.1.1,<8.0; python_version <= '3.5'
-Click>=8.0.1; python_version >= '3.6'
+# Safety package requires click 8.0.2 minimum
+# Click>=8.0.2; python_version >= '3.6'
 
 # PyYAML is also pulled in by dparse and python-coveralls
 # PyYAML 5.3 fixed narrow build error on Python 2.7

diff --git a/docs/changes.rst b/docs/changes.rst
@@ -49,16 +49,16 @@ Released: not yet
 * Increased minimum version of Click to 8.0.1 on Python >= 3.6 to prepare for
   new features. Adjusted testcases accordingly.
 
-* Extended class and instance enumerate/get/associators/references to allow
-  getting the objects from multiple namespaces with a single request.  This
-  extends the command option --namespace to allow multiple namespaces for
-  these commands using either comma-separated format
-  (ex. --namespace root/cimv2,root/cimv3) or multiple definitions of the option
-  (ex. --namespace root/cimv2 --namespace root/cimv3) The display of results
-  have been extended to include the namespace name for the objects in all
-  of the output formats if multiple namespaces are used. As before, the
-  namespaces are not shown if only a single or the default namespace is
-  requested.(see issues #1058 and #1059)
+* Extended class/instance enumerate/get/associators/references and qualifier
+  enumerate to allow getting the objects from multiple namespaces with a single
+  request.  This extends the command option --namespace to allow multiple
+  namespaces for these commands using either comma-separated format (ex.
+  --namespace root/cimv2,root/cimv3) or multiple definitions of the option (ex.
+  --namespace root/cimv2 --namespace root/cimv3) The display of results have
+  been extended to include the namespace name for the objects in all of the
+  output formats if multiple namespaces are used. As before, the namespaces are
+  not shown if only a single or the default namespace is requested.(see issues
+  #1058 and #1059)
 
 * Add a new option (--object-order) to class and instance
   enumerate/get/associators/references and qualifier enumerate/get to reorder
@@ -113,6 +113,9 @@ Released: not yet
 * Clean up issues in the docs where items in bullet lists do not show the
   bullets Changes rtd-requirements to avoid suspect versions. (see issue #1218)
 
+* Update to requirements files for new Nov 2022 security issues with wheel,
+  safety, and py. (see PR # 1627)
+
 **Known issues:**
 
 * See `list of open issues`_.

diff --git a/minimum-constraints.txt b/minimum-constraints.txt
@@ -89,6 +89,7 @@ setuptools==39.0.1; python_version <= '3.6'
 setuptools==40.6.0; python_version == '3.7'
 setuptools==41.5.0; python_version >= '3.8' and python_version <= '3.9'
 setuptools==49.0.0; python_version >= '3.10'
+# Minimum should be set to 0.38.0 when that version released. Issue #1228
 wheel==0.30.0; python_version <= '3.6'
 wheel==0.32.0; python_version == '3.7'
 wheel==0.33.5; python_version >= '3.8'
@@ -107,7 +108,8 @@ nocasedict==1.0.1
 six==1.14.0; python_version <= '3.9'
 six==1.16.0; python_version >= '3.10'
 Click==7.1.1; python_version <= '3.5'
-Click==8.0.1; python_version >= '3.6'
+# Safety package requires click 8.0.2 minimum
+Click==8.0.2; python_version >= '3.6'
 click-spinner==0.1.8
 click-repl==0.1.6; python_version <= '3.5'
 click-repl==0.2; python_version >= '3.6'
@@ -171,10 +173,13 @@ coveralls==2.1.2; python_version >= '3.5'
 
 # Safety CI by pyup.io
 safety==1.8.7; python_version == '2.7'
-safety==1.9.0; python_version >= '3.5'
+# version 2. not compatible with python 3.5
+safety==1.9.0; python_version == '3.5'
+safety==2.2.0; python_version >= '3.6'
 dparse==0.4.1; python_version == '2.7'
-dparse==0.5.2; python_version >= '3.5'
-
+dparse==0.5.2; python_version == '3.5'
+#  version 0.6.2 required by safety 2.2.0
+dparse==0.6.2; python_version >= '3.6'
 # Tox
 tox==2.5.0
 # tox 3.17 requires six>=1.14.0
@@ -290,7 +295,7 @@ pbr==1.8.0
 pexpect==4.2.1
 pickleshare==0.7.4
 ptyprocess==0.5.1
-py==1.10.0
+py==1.11.0
 pytz==2016.10; python_version <= '3.9'
 pytz==2019.1; python_version >= '3.10'
 pyzmq==16.0.4

diff --git a/requirements.txt b/requirements.txt
@@ -22,12 +22,13 @@ six>=1.14.0; python_version <= '3.9'
 six>=1.16.0; python_version >= '3.10'
 # Click 7.0 has issue #1231 on Windows which we circumvent in the test code
 # Click 7.1 has a bug with output capturing
-# Click 8.0 is incompatible with pywbemcli. See issues #816 (python 2.7 not
+# Click 8.0 is incompatible with python <3.0. See issues #816 (python 2.7 not
 #     supported) and #819 (click-repl incompatible)
 # The Click requirements were copied into dev-requirements.txt in order not to
 # have the safety package upgrade it. Keep them in sync.
 Click>=7.1.1,<8.0; python_version <= '3.5'
-Click>=8.0.1; python_version >= '3.6'
+# Safety package requires click 8.0.2 minimum
+Click>=8.0.2; python_version >= '3.6'
 click-spinner>=0.1.8
 # click-repl 0.2 is needed for compatibility with Click 8.0.
 click-repl>=0.1.6; python_version <= '3.5'