From b611291c2ebe5d29bce3c8737ce3e8ab95308c80 Mon Sep 17 00:00:00 2001
From: Rajiv Bakulesh Shah <brainix@gmail.com>
Date: Fri, 5 Jul 2024 23:06:56 -0700
Subject: [PATCH] Upgrade requirements (#744)

* Upgrade requirements

* Allow redis-py 5.x

* Upgrade requirements

* Upgrade requirements

* Upgrade requirements

* Pin docutils to support Python 3.8

* Upgrade requirements

* Upgrade requirements

* Upgrade requirements

* Upgrade requirements

* Upgrade requirements

* Migrate from Safety CLI 2.x to 3.x

* Ignore Jinja2 vulnerability 70612

We don't render Jinja templates.

Plus, "The maintainer and multiple third parties believe that this
vulnerability isn't valid because users shouldn't use untrusted
templates without sandboxing."

For more info:
https://data.safetycli.com/vulnerabilities/CVE-2019-8341/70612/
---
 .github/workflows/python-package.yml |  7 ++-
 .safety-policy.yml                   | 42 ++++++++++++++++
 Makefile                             |  2 +-
 requirements-to-freeze.txt           |  4 ++
 requirements.txt                     | 72 ++++++++++++++--------------
 setup.py                             |  6 +--
 6 files changed, 92 insertions(+), 41 deletions(-)
 create mode 100644 .safety-policy.yml

diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index 7003a331..e94aeda8 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -45,7 +45,10 @@ jobs:
       run: |
         flake8 *\.py pottery/*\.py tests/*\.py --count --max-complexity=10 --statistics
         isort *\.py pottery/*\.py tests/*\.py --check-only --diff
-    - name: Check for security vulnerabilities with Bandit and Safety
+    - name: Check for security vulnerabilities with Bandit
       run: |
         bandit --recursive pottery
-        safety check --file requirements.txt
+    - name: Check for security vulnerabilities with Safety
+      uses: pyupio/safety-action@v1
+      with:
+        api-key: ${{ secrets.SAFETY_API_KEY }}
diff --git a/.safety-policy.yml b/.safety-policy.yml
new file mode 100644
index 00000000..6a64c688
--- /dev/null
+++ b/.safety-policy.yml
@@ -0,0 +1,42 @@
+version: '3.0'
+
+scanning-settings:
+  max-depth: 6
+  exclude: []
+  include-files: []
+  system:
+    targets: []
+
+
+report:
+  dependency-vulnerabilities:
+    enabled: true
+    auto-ignore-in-report:
+      python:
+        environment-results: true
+        unpinned-requirements: true
+      cvss-severity: []
+      vulnerabilities:
+        70612:
+          reason: "We don't render Jinja templates"
+          expires: '2024-12-31'
+
+
+fail-scan-with-exit-code:
+  dependency-vulnerabilities:
+    enabled: true
+    fail-on-any-of:
+      cvss-severity:
+        - high
+        - critical
+        - medium
+      exploitability:
+        - high
+        - critical
+        - medium
+
+security-updates:
+  dependency-vulnerabilities:
+    auto-security-updates-limit:
+      - patch
+
diff --git a/Makefile b/Makefile
index 586fd0a8..62504bf5 100644
--- a/Makefile
+++ b/Makefile
@@ -81,7 +81,7 @@ test:
 		echo Running isort on $($@_SOURCE_FILES) && \
 		isort $($@_SOURCE_FILES) --check-only --diff && \
 		bandit --recursive pottery && \
-		safety check
+		safety scan
 
 
 .PHONY: release
diff --git a/requirements-to-freeze.txt b/requirements-to-freeze.txt
index 7f36df94..52a0e86d 100644
--- a/requirements-to-freeze.txt
+++ b/requirements-to-freeze.txt
@@ -54,3 +54,7 @@ requests>=2.20.0
 #   https://nvd.nist.gov/vuln/detail/CVE-2018-20060
 #   https://nvd.nist.gov/vuln/detail/CVE-2019-11324
 urllib3>=1.24.2
+
+# We don't need docutils at the top-level.  However, it's pulled in from
+# something else, and recent docutils doesn't support Python 3.8.
+docutils==0.20.1
diff --git a/requirements.txt b/requirements.txt
index 113c5cf3..4112ac92 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,69 +1,71 @@
-annotated-types==0.6.0
-async-timeout==4.0.3
-Authlib==1.3.0
-bandit==1.7.8
-certifi==2024.2.2
+annotated-types==0.7.0
+Authlib==1.3.1
+bandit==1.7.9
+certifi==2024.7.4
 cffi==1.16.0
 charset-normalizer==3.3.2
 click==8.1.7
-coverage==7.4.4
-cryptography==42.0.5
+coverage==7.5.4
+cryptography==42.0.8
 docutils==0.20.1
 dparse==0.6.4b0
-flake8==7.0.0
+filelock==3.12.4
+flake8==7.1.0
 hiredis==2.3.2
-idna==3.6
-importlib_metadata==7.1.0
+idna==3.7
+importlib_metadata==8.0.0
 iniconfig==2.0.0
 isort==5.13.2
 jaraco.classes==3.4.0
 jaraco.context==5.3.0
-jaraco.functools==4.0.0
-Jinja2==3.1.3
-keyring==25.1.0
+jaraco.functools==4.0.1
+Jinja2==3.1.4
+keyring==25.2.1
 markdown-it-py==3.0.0
 MarkupSafe==2.1.5
-marshmallow==3.21.1
+marshmallow==3.21.3
 mccabe==0.7.0
 mdurl==0.1.2
 mmh3==4.1.0
-more-itertools==10.2.0
-mypy==1.9.0
+more-itertools==10.3.0
+mypy==1.10.1
 mypy-extensions==1.0.0
 nh3==0.2.17
-packaging==24.0
+packaging==24.1
 pbr==6.0.0
 pkginfo==1.10.0
-pluggy==1.4.0
-pycodestyle==2.11.1
+pluggy==1.5.0
+pycodestyle==2.12.0
 pycparser==2.22
-pydantic==2.6.4
-pydantic_core==2.16.3
+pydantic==2.8.2
+pydantic_core==2.20.1
 pyflakes==3.2.0
-Pygments==2.17.2
-pytest==8.1.1
-pytest-asyncio==0.23.6
+Pygments==2.18.0
+pytest==8.2.2
+pytest-asyncio==0.23.7
 pytest-cov==5.0.0
 PyYAML==6.0.1
 readme_renderer==43.0
-redis==5.1.0b4
-requests==2.31.0
+redis==5.1.0b7
+requests==2.32.3
 requests-toolbelt==1.0.0
 rfc3986==2.0.0
 rich==13.7.1
 ruamel.yaml==0.18.6
 ruamel.yaml.clib==0.2.8
-safety==3.1.0
+safety==3.2.4
 safety-schemas==0.0.2
-setuptools==69.2.0
+setuptools==70.2.0
 shellingham==1.5.4
 stevedore==5.2.0
-twine==5.0.0
-typer==0.12.1
-types-pyOpenSSL==24.0.0.20240311
-types-redis==4.6.0.20240311
-typing_extensions==4.11.0
-urllib3==2.2.1
+twine==5.1.1
+typer==0.12.3
+types-cffi==1.16.0.20240331
+types-pyOpenSSL==24.1.0.20240425
+types-redis==4.6.0.20240425
+types-setuptools==70.2.0.20240704
+typing_extensions==4.12.2
+urllib3==2.2.2
 uvloop==0.19.0
 wheel==0.43.0
-zipp==3.18.1
+zipp==3.19.2
diff --git a/setup.py b/setup.py
index c95b712a..a4c6b3ee 100644
--- a/setup.py
+++ b/setup.py
@@ -57,10 +57,10 @@
     ],
     keywords=pottery.__keywords__,
     python_requires='>=3.8, <4',
-    install_requires=('redis>=4.2.0rc1, <5', 'mmh3', 'typing_extensions'),
+    install_requires=('redis>=4.2.0rc1', 'mmh3', 'typing_extensions'),
     extras_require={},
     packages=find_packages(exclude=('contrib', 'docs', 'tests*')),
-    package_data={'pottery': ('py.typed',)},
-    data_files=tuple(),
+    package_data={'pottery': ['py.typed']},
+    data_files=[],
     entry_points={},
 )