Upgrade requirements (#744)

* Upgrade requirements * Allow redis-py 5.x * Upgrade requirements * Upgrade requirements * Upgrade requirements * Pin docutils to support Python 3.8 * Upgrade requirements * Upgrade requirements * Upgrade requirements * Upgrade requirements * Upgrade requirements * Migrate from Safety CLI 2.x to 3.x * Ignore Jinja2 vulnerability 70612 We don't render Jinja templates. Plus, "The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing." For more info: https://data.safetycli.com/vulnerabilities/CVE-2019-8341/70612/
brainix · Jul 6, 2024 · b611291 · b611291
1 parent 21abb43
commit b611291
Show file tree

Hide file tree

Showing 6 changed files with 92 additions and 41 deletions.
diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
@@ -45,7 +45,10 @@ jobs:
       run: |
         flake8 *\.py pottery/*\.py tests/*\.py --count --max-complexity=10 --statistics
         isort *\.py pottery/*\.py tests/*\.py --check-only --diff
-    - name: Check for security vulnerabilities with Bandit and Safety
+    - name: Check for security vulnerabilities with Bandit
       run: |
         bandit --recursive pottery
-        safety check --file requirements.txt
+    - name: Check for security vulnerabilities with Safety
+      uses: pyupio/safety-action@v1
+      with:
+        api-key: ${{ secrets.SAFETY_API_KEY }}
diff --git a/.safety-policy.yml b/.safety-policy.yml
@@ -0,0 +1,42 @@
+version: '3.0'
+
+scanning-settings:
+  max-depth: 6
+  exclude: []
+  include-files: []
+  system:
+    targets: []
+
+
+report:
+  dependency-vulnerabilities:
+    enabled: true
+    auto-ignore-in-report:
+      python:
+        environment-results: true
+        unpinned-requirements: true
+      cvss-severity: []
+      vulnerabilities:
+        70612:
+          reason: "We don't render Jinja templates"
+          expires: '2024-12-31'
+
+
+fail-scan-with-exit-code:
+  dependency-vulnerabilities:
+    enabled: true
+    fail-on-any-of:
+      cvss-severity:
+        - high
+        - critical
+        - medium
+      exploitability:
+        - high
+        - critical
+        - medium
+
+security-updates:
+  dependency-vulnerabilities:
+    auto-security-updates-limit:
+      - patch
+
diff --git a/Makefile b/Makefile
@@ -81,7 +81,7 @@ test:
 		echo Running isort on $($@_SOURCE_FILES) && \
 		isort $($@_SOURCE_FILES) --check-only --diff && \
 		bandit --recursive pottery && \
-		safety check
+		safety scan
 
 
 .PHONY: release

diff --git a/requirements-to-freeze.txt b/requirements-to-freeze.txt
@@ -54,3 +54,7 @@ requests>=2.20.0
 #   https://nvd.nist.gov/vuln/detail/CVE-2018-20060
 #   https://nvd.nist.gov/vuln/detail/CVE-2019-11324
 urllib3>=1.24.2
+
+# We don't need docutils at the top-level.  However, it's pulled in from
+# something else, and recent docutils doesn't support Python 3.8.
+docutils==0.20.1
diff --git a/requirements.txt b/requirements.txt
@@ -1,69 +1,71 @@
-annotated-types==0.6.0
-async-timeout==4.0.3
-Authlib==1.3.0
-bandit==1.7.8
-certifi==2024.2.2
+annotated-types==0.7.0
+Authlib==1.3.1
+bandit==1.7.9
+certifi==2024.7.4
 cffi==1.16.0
 charset-normalizer==3.3.2
 click==8.1.7
-coverage==7.4.4
-cryptography==42.0.5
+coverage==7.5.4
+cryptography==42.0.8
 docutils==0.20.1
 dparse==0.6.4b0
-flake8==7.0.0
+filelock==3.12.4
+flake8==7.1.0
 hiredis==2.3.2
-idna==3.6
-importlib_metadata==7.1.0
+idna==3.7
+importlib_metadata==8.0.0
 iniconfig==2.0.0
 isort==5.13.2
 jaraco.classes==3.4.0
 jaraco.context==5.3.0
-jaraco.functools==4.0.0
-Jinja2==3.1.3
-keyring==25.1.0
+jaraco.functools==4.0.1
+Jinja2==3.1.4
+keyring==25.2.1
 markdown-it-py==3.0.0
 MarkupSafe==2.1.5
-marshmallow==3.21.1
+marshmallow==3.21.3
 mccabe==0.7.0
 mdurl==0.1.2
 mmh3==4.1.0
-more-itertools==10.2.0
-mypy==1.9.0
+more-itertools==10.3.0
+mypy==1.10.1
 mypy-extensions==1.0.0
 nh3==0.2.17
-packaging==24.0
+packaging==24.1
 pbr==6.0.0
 pkginfo==1.10.0
-pluggy==1.4.0
-pycodestyle==2.11.1
+pluggy==1.5.0
+pycodestyle==2.12.0
 pycparser==2.22
-pydantic==2.6.4
-pydantic_core==2.16.3
+pydantic==2.8.2
+pydantic_core==2.20.1
 pyflakes==3.2.0
-Pygments==2.17.2
-pytest==8.1.1
-pytest-asyncio==0.23.6
+Pygments==2.18.0
+pytest==8.2.2
+pytest-asyncio==0.23.7
 pytest-cov==5.0.0
 PyYAML==6.0.1
 readme_renderer==43.0
-redis==5.1.0b4
-requests==2.31.0
+redis==5.1.0b7
+requests==2.32.3
 requests-toolbelt==1.0.0
 rfc3986==2.0.0
 rich==13.7.1
 ruamel.yaml==0.18.6
 ruamel.yaml.clib==0.2.8
-safety==3.1.0
+safety==3.2.4
 safety-schemas==0.0.2
-setuptools==69.2.0
+setuptools==70.2.0
 shellingham==1.5.4
 stevedore==5.2.0
-twine==5.0.0
-typer==0.12.1
-types-pyOpenSSL==24.0.0.20240311
-types-redis==4.6.0.20240311
-typing_extensions==4.11.0
-urllib3==2.2.1
+twine==5.1.1
+typer==0.12.3
+types-cffi==1.16.0.20240331
+types-pyOpenSSL==24.1.0.20240425
+types-redis==4.6.0.20240425
+types-setuptools==70.2.0.20240704
+typing_extensions==4.12.2
+urllib3==2.2.2
 uvloop==0.19.0
 wheel==0.43.0
-zipp==3.18.1
+zipp==3.19.2
diff --git a/setup.py b/setup.py
@@ -57,10 +57,10 @@
     ],
     keywords=pottery.__keywords__,
     python_requires='>=3.8, <4',
-    install_requires=('redis>=4.2.0rc1, <5', 'mmh3', 'typing_extensions'),
+    install_requires=('redis>=4.2.0rc1', 'mmh3', 'typing_extensions'),
     extras_require={},
     packages=find_packages(exclude=('contrib', 'docs', 'tests*')),
-    package_data={'pottery': ('py.typed',)},
-    data_files=tuple(),
+    package_data={'pottery': ['py.typed']},
+    data_files=[],
     entry_points={},
 )