build: update some dependencies, all over#10727
Conversation
note: 3.12 is in security-only status, so can't bump win/mac binaries without switching to 3.13 (as we don't compile our own cpython for those) we should bump those to at least 3.13...
somewhat conservative and paranoid... generated with patch: ``` user@debian:~/wspace/electrum$ git diff diff --git a/contrib/requirements/requirements-binaries-mac.txt b/contrib/requirements/requirements-binaries-mac.txt index ab8bd5f..dfbd55c2b 100644 --- a/contrib/requirements/requirements-binaries-mac.txt +++ b/contrib/requirements/requirements-binaries-mac.txt @@ -5,3 +5,11 @@ PyQt6<6.7 PyQt6-Qt6<6.7,!=6.6.3 cryptography>=2.6 + + +pip==25.1.1 +setuptools==80.9.0 +wheel==0.45.1 + +cryptography==46.0.7 +pycparser==2.23 diff --git a/contrib/requirements/requirements-binaries.txt b/contrib/requirements/requirements-binaries.txt index b410896..5771aef24 100644 --- a/contrib/requirements/requirements-binaries.txt +++ b/contrib/requirements/requirements-binaries.txt @@ -3,3 +3,12 @@ PyQt6 # we need at least cryptography>=2.1 for electrum.crypto, # and at least cryptography>=2.6 for dnspython[DNSSEC] cryptography>=2.6 + + +pip==25.1.1 +setuptools==80.9.0 +wheel==0.45.1 + +cryptography==46.0.7 +pycparser==2.23 +PyQt6==6.9.1 diff --git a/contrib/requirements/requirements-build-android.txt b/contrib/requirements/requirements-build-android.txt index e9d2728..4bf6cc1fc 100644 --- a/contrib/requirements/requirements-build-android.txt +++ b/contrib/requirements/requirements-build-android.txt @@ -20,3 +20,10 @@ toml # needed for the Qt/QML Android GUI: # TODO double-check this typing-extensions + + +pip==25.1.1 +setuptools==80.9.0 +wheel==0.45.1 + +sh==2.2.2 diff --git a/contrib/requirements/requirements-build-appimage.txt b/contrib/requirements/requirements-build-appimage.txt index ee8b4aa..d79cd93b6 100644 --- a/contrib/requirements/requirements-build-appimage.txt +++ b/contrib/requirements/requirements-build-appimage.txt @@ -7,4 +7,11 @@ wheel # The pinned Cython must be installed before hidapi is built; # otherwise when installing hidapi, pip just downloads the latest Cython. # see spesmilo#5859 -Cython>=0.27 \ No newline at end of file +Cython>=0.27 + + +pip==25.1.1 +setuptools==80.9.0 +wheel==0.45.1 + +Cython<3.2 diff --git a/contrib/requirements/requirements-build-base.txt b/contrib/requirements/requirements-build-base.txt index 5bfea96..6cc7d303c 100644 --- a/contrib/requirements/requirements-build-base.txt +++ b/contrib/requirements/requirements-build-base.txt @@ -28,3 +28,12 @@ flit_core>=3.4,<4 # aio-libs/frozenlist and aio-libs/propcache needs: # https://github.com/aio-libs/frozenlist/blob/c28f32d6816ca0fa56a5876e84831c46084bb85d/pyproject.toml#L6 expandvars + + +pip==25.1.1 +setuptools==80.9.0 +wheel==0.45.1 +setuptools-scm<9 + +expandvars==1.0.0 +poetry-core==2.1.3 diff --git a/contrib/requirements/requirements-build-mac.txt b/contrib/requirements/requirements-build-mac.txt index 5504223..583c91170 100644 --- a/contrib/requirements/requirements-build-mac.txt +++ b/contrib/requirements/requirements-build-mac.txt @@ -15,3 +15,12 @@ packaging>=22.0 # otherwise when installing hidapi, pip just downloads the latest Cython. # see spesmilo#5859 Cython>=0.27 + + + +pip==25.1.1 +setuptools==80.9.0 +wheel==0.45.1 + +Cython<3.2 +pyinstaller-hooks-contrib==2025.4 diff --git a/contrib/requirements/requirements-build-wine.txt b/contrib/requirements/requirements-build-wine.txt index 80cccba..647a90acb 100644 --- a/contrib/requirements/requirements-build-wine.txt +++ b/contrib/requirements/requirements-build-wine.txt @@ -9,3 +9,10 @@ altgraph pywin32-ctypes>=0.2.1 pyinstaller-hooks-contrib>=2025.2 packaging>=22.0 + + +pip==25.1.1 +setuptools==80.9.0 +wheel==0.45.1 + +pyinstaller-hooks-contrib==2025.4 diff --git a/contrib/requirements/requirements-hw.txt b/contrib/requirements/requirements-hw.txt index 5dfb029..3c4955eb6 100644 --- a/contrib/requirements/requirements-hw.txt +++ b/contrib/requirements/requirements-hw.txt @@ -30,3 +30,13 @@ pyserial>=3.5.0,<4.0.0 # prefer older urllib3 to avoid needing hatchling # (pulled in via trezor -> requests -> urllib3) urllib3<2 + + +pip==25.1.1 +setuptools==80.9.0 +wheel==0.45.1 + +cryptography==46.0.7 +pycparser==2.23 +libusb1<3.4 +protobuf==3.20.3 diff --git a/contrib/requirements/requirements.txt b/contrib/requirements/requirements.txt index e9963c1..da9ab8cde 100644 --- a/contrib/requirements/requirements.txt +++ b/contrib/requirements/requirements.txt @@ -18,3 +18,15 @@ attrs>=20.1.0,<23 # - upper limit to avoid needing hatchling at build-time :/ # (however newer versions should work at runtime) dnspython>=2.2,<2.5 + + +pip==25.1.1 +setuptools==80.9.0 +wheel==0.45.1 + +aiohappyeyeballs<2.7 +jsonpatch==1.33 +jsonpointer==3.0.0 +propcache==0.3.1 +protobuf==3.20.3 +python-socks==2.8.1 ```
|
Please someone else skim this and validate that I was not last-minute-blackmailed into pulling in some backdoored crap... |
|
Looked at the commits of network oriented dependencies |
|
I looked over the diff and let Claude audit it, 5972fc7 lgtm. FYI, this is the (partial) output: |
hmm. still, aiohttp claims to have fixed ~vulnerabilities in many of their recently released versions so it is probably better for us to just follow them |
I tried to be somewhat conservative.
(But really should do this mid-cycle, not just before a release. Then it would be possible to do major version bumps as well.)
done manual QA, like in the stone age: