diff --git a/.safety-policy.yml b/.safety-policy.yml index cbd5c30bd..601489150 100644 --- a/.safety-policy.yml +++ b/.safety-policy.yml @@ -112,6 +112,8 @@ security: reason: Fixed gitpython version 3.1.33 requires Python>=3.7 and is used there 60841: reason: Fixed gitpython version 3.1.34 requires Python>=3.7 and is used there + 61601: + reason: Fixed urllib3 version 1.26.17 requires Python>=3.6 and is used there # Continue with exit code 0 when vulnerabilities are found. continue-on-vulnerability-error: False diff --git a/dev-requirements.txt b/dev-requirements.txt index 2cd1ff79c..2844e060d 100644 --- a/dev-requirements.txt +++ b/dev-requirements.txt @@ -70,7 +70,6 @@ coveralls>=3.3.0; python_version >= '3.5' # Safety CI by pyup.io # Safety is run only on Python >=3.6 -# Safety 2.2.0 and dparse 0.6.2 fix safety issue 51358 # Safety 2.3.5 (running only on Python >=3.6) requires packaging<22.0,>=21.0, but safety 2.3.4 does not # and safety 2.4.0 will also no longer pin it (see https://github.com/pyupio/safety/issues/455). safety>=2.2.0,!=2.3.5; python_version >= '3.6' @@ -85,7 +84,6 @@ tox>=2.5.0 # Sphinx 2.0.0 removed support for Python 2.7 and 3.4 # Sphinx 4.0.0 breaks autodocsumm and needs to be excluded # Sphinx <4.3.0 requires docutils <0.18 due to an incompatibility -# Sphinx 3.0.4 fixes safety issues 45775,38330 Sphinx>=1.7.6,<2.0.0; python_version == '2.7' Sphinx>=3.5.4,!=4.0.0,<4.3.0; python_version >= '3.5' and python_version <= '3.9' Sphinx>=4.2.0; python_version >= '3.10' @@ -95,12 +93,10 @@ docutils>=0.14,<0.17; python_version == '3.10' docutils>=0.16,<0.17; python_version >= '3.11' sphinx-git>=10.1.1 # GitPython 3.0.0 removed support for Python 2.7 -# GitPython 3.1.30 fixes safety issues 52322,52518 GitPython>=2.1.1,<3.0.0; python_version == '2.7' GitPython>=2.1.1; python_version >= '3.5' and python_version <= '3.6' GitPython>=3.1.37; python_version >= '3.7' sphinxcontrib-websupport>=1.1.2 -# Pygments 2.7.4 fixes safety issues 50885,50886 Pygments>=2.4.1; python_version == '2.7' Pygments>=2.7.4; python_version >= '3.5' and python_version <= '3.6' Pygments>=2.15.0; python_version >= '3.7' @@ -109,7 +105,6 @@ autodocsumm>=0.1.13,<0.2.0; python_version == '2.7' autodocsumm>=0.1.13; python_version >= '3.5' and python_version <= '3.9' autodocsumm>=0.2.5; python_version >= '3.10' # Babel 2.7.0 fixes an ImportError for MutableMapping which starts failing on Python 3.10 -# Babel 2.9.1 fixes safety issue 42203 Babel>=2.9.1 # PyLint (no imports, invoked via pylint script) @@ -121,8 +116,6 @@ Babel>=2.9.1 # Issue #2673: Pinning Pylint to <2.7.0 is a circumvention for Pylint issue # https://github.com/PyCQA/pylint/issues/4120 that appears in Pylint 2.7.0. # Pylint 2.10 has fixed the issue. -# Pylint 2.7.0 fixes safety issue 39621 -# Pylint 2.13.0 fixes safety issue 45185 pylint>=2.5.2,<2.7.0; python_version == '3.5' pylint>=2.13.0,<2.14.0; python_version == '3.6' pylint>=2.13.0; python_version >= '3.7' and python_version <= '3.10' @@ -165,7 +158,6 @@ functools32>=3.2.3.post2; python_version == '2.7' # technically: python_version # Twine (no imports, invoked via twine script): # twine 2.0.0 removed support for Python < 3.6 -# twine 2.0.0 fixes safety issue 37504 twine>=1.8.1,<2.0.0; python_version <= '3.5' twine>=3.0.0; python_version >= '3.6' # readme-renderer 23.0 has made cmarkgfm part of extras (it fails on Cygwin) @@ -185,11 +177,7 @@ pywin32-ctypes>=0.2.0; sys_platform=="win32" # so we need to pin notebook to <6.1 on Python<=3.5. # Note: notebook 6.5.1 starts using nbclassic which seems to introduce some challenges for pip # dependency resolution, so for now we pin notebook to <6.5. -# notebook 5.7.8 fixes safety issue 54678 -# notebook 5.7.11 fixes safety issue 54689 -# notebook 6.1.5 fixes safety issue 40380 # notebook 6.4.11 removed support for Python 3.6 -# notebook 6.4.12 fixes safety issue 54684 notebook>=4.3.1,<6.1; python_version <= '3.5' notebook>=6.4.10,<6.5; python_version == '3.6' notebook>=6.4.12,<6.5; python_version >= '3.7' @@ -198,7 +186,6 @@ jupyter-console>=5.2.0,<6.0.0; python_version == '2.7' jupyter-console>=5.2.0,<6.0.0; python_version >= '3.5' ipywidgets>=5.2.2,<6.0.0; python_version <= '3.6' ipywidgets>=5.2.2,<6.0.0; python_version >= '3.7' -# nbconvert 6.5.1 fixes safety issue 50792 nbconvert>=5.0.0,<6.0.0; python_version <= '3.6' nbconvert>=6.0.0,<7.0.0; python_version >= '3.7' # nbconvert 6.x requires nbclient>=0.5.0,<0.6.0 @@ -229,7 +216,6 @@ ipython>=5.1.0,<6.0; python_version >= '3.7' # Pywin32 is used (at least?) by jupyter. # Pywin32 version 226 needs to be excluded, see issues #1946 and #1975. # pywin32 version 300 removed support for Python 2.7 -# pywin32 version 301 fixes safety issue 54687 # pywin32 version 302 removed support for Python 3.5 and added support for Python 3.10 # pywin32 version 303 added support for Python 3.11 pywin32>=222,!=226,<300; sys_platform == 'win32' and python_version == '2.7' diff --git a/docs/changes.rst b/docs/changes.rst index 4977477e5..cf71bd6c4 100644 --- a/docs/changes.rst +++ b/docs/changes.rst @@ -67,7 +67,7 @@ Released: not yet * Test: Circumvented a pip-check-reqs issue by excluding its version 2.5.0. -* Addressed safety issues up to 2023-10-05. +* Addressed safety issues up to 2023-11-05. * Fixed the maximum number of concurrent threads in bulk operations to be the documented maximum of 10. diff --git a/minimum-constraints.txt b/minimum-constraints.txt index 52ac7998d..51ded5b89 100644 --- a/minimum-constraints.txt +++ b/minimum-constraints.txt @@ -77,21 +77,17 @@ # Pip 20.2 introduced a new resolver whose backtracking had issues that were resolved only in 21.2.2. # Pip 21.0 removed support for Python<=3.5 # pip>=21.0 is needed for the cryptography package on Windows on GitHub Actions. -# pip 19.2 fixes safety issue 38765 -# pip 21.1 fixes safety issues 42559,40291 pip==19.3.1; python_version <= '3.5' pip==21.2.4; python_version >= '3.6' and python_version <= '3.9' pip==23.0.1; python_version >= '3.10' and python_version <= '3.11' pip==23.2.0; python_version >= '3.12' # setuptools 51.0.0 removed support for py35 # setuptools 59.7.0 removed support for py36 -# setuptools 65.5.1 fixes safety issue 52495 setuptools==39.0.1; python_version == '2.7' setuptools==50.3.2; python_version == '3.5' setuptools==59.6.0; python_version == '3.6' setuptools==65.5.1; python_version >= '3.7' and python_version <= '3.11' setuptools==66.1.0; python_version >= '3.12' -# wheel 0.38.1 fixes safety issue 51499 wheel==0.30.0; python_version <= '3.6' wheel==0.38.1; python_version >= '3.7' @@ -122,14 +118,14 @@ jsonschema==3.0.1 # Indirect dependencies for runtime (must be consistent with requirements.txt) -# certifi 2022.12.07 fixes safety issue 52365 certifi==2019.9.11; python_version <= '3.5' certifi==2023.07.22; python_version >= '3.6' chardet==3.0.3 docopt==0.6.2 idna==2.5 -# urllib3 1.26.5 fixes safety issue 43975 -urllib3==1.26.5 +urllib3==1.26.17; python_version == '2.7' +urllib3==1.26.9; python_version == '3.5' +urllib3==1.26.17; python_version >= '3.6' pyrsistent==0.15.1 # Direct dependencies for development (must be consistent with dev-requirements.txt) diff --git a/requirements.txt b/requirements.txt index 681ee9e82..8c69e96e2 100644 --- a/requirements.txt +++ b/requirements.txt @@ -41,8 +41,6 @@ nocasedict>=1.0.2 # PyYAML 5.3 fixes narrow build error # PyYAML 5.4 removed support for py35 # PyYAML 6.0 removed support for py27 -# PyYAML 5.3.1 fixes safety issue 38100 -# PyYAML 5.4 fixes safety issue 39611 # PyYAML 5.3 has wheel archives for Python 2.7, 3.5 - 3.9 # PyYAML 5.4 has wheel archives for Python 2.7, 3.6 - 3.9 # PyYAML 6.0 has wheel archives for Python 3.6 - 3.11 @@ -67,7 +65,10 @@ jsonschema>=3.0.1,!=4.0.0 # Since we changed to use the allowed_methods attribute introduced in urllib3 # 1.26.0, and our minimum version of requests (2.25.0) only requires # urllib3>=1.21.0, we need to require a minimum version of urllib3. -urllib3>=1.26.5 # MIT +# urllib3 1.26.10 removed support for py35 +urllib3>=1.26.17; python_version == '2.7' +urllib3>=1.26.9; python_version == '3.5' +urllib3>=1.26.17; python_version >= '3.6' # MIT, from jsonschema>=3.0 # pyrsistent 0.15.0 started using the FileNotFoundError built-in exception that