⬆️🔒️ Maintenance/vulnerability upgrade for ujson, upgrade fastapi+sta…

…rlette (#3112)
ITISFoundation · Sep 20, 2022 · 1e08132 · 1e08132
1 parent 988cc25
commit 1e08132
Show file tree

Hide file tree

Showing 14 changed files with 109 additions and 39 deletions.
diff --git a/packages/service-library/requirements/_fastapi.txt b/packages/service-library/requirements/_fastapi.txt
@@ -14,7 +14,7 @@ certifi==2022.6.15
     #   httpx
 click==8.1.3
     # via uvicorn
-fastapi==0.82.0
+fastapi==0.85.0
     # via
     #   -r requirements/_fastapi.in
     #   fastapi-contrib
@@ -54,7 +54,7 @@ sniffio==1.3.0
     #   anyio
     #   httpcore
     #   httpx
-starlette==0.19.1
+starlette==0.20.4
     # via fastapi
 threadloop==1.0.2
     # via jaeger-client

diff --git a/requirements/constraints.txt b/requirements/constraints.txt
@@ -18,6 +18,7 @@ pyyaml>=5.4                                   # https://github.com/advisories/GH
 rsa>=4.1                                      # https://github.com/advisories/GHSA-537h-rv9q-vvph
 sqlalchemy[postgresql_psycopg2binary]>=1.3.3  # https://nvd.nist.gov/vuln/detail/CVE-2019-7164
 sqlalchemy>=1.3.3                             # https://nvd.nist.gov/vuln/detail/CVE-2019-7164
+ujson>=5.4.0                                  # https://github.com/advisories/GHSA-fh56-85cw-5pq6, https://github.com/advisories/GHSA-wpqr-jcpx-745r
 urllib3>=1.26.5                               # https://github.com/advisories/GHSA-q2q7-5pp4-w6pg
 
 #

diff --git a/services/api-server/requirements/_base.txt b/services/api-server/requirements/_base.txt
@@ -95,7 +95,7 @@ email-validator==1.2.1
     # via
     #   fastapi
     #   pydantic
-fastapi==0.75.0
+fastapi==0.85.0
     # via
     #   -r requirements/../../../packages/service-library/requirements/_fastapi.in
     #   -r requirements/_base.in
@@ -285,7 +285,7 @@ sqlalchemy==1.4.37
     #   -r requirements/../../../packages/simcore-sdk/requirements/../../../packages/postgres-database/requirements/_base.in
     #   aiopg
     #   alembic
-starlette==0.17.1
+starlette==0.20.4
     # via fastapi
 tenacity==8.0.1
     # via
@@ -317,8 +317,21 @@ typing-extensions==4.3.0
     # via
     #   aiodebug
     #   pydantic
-ujson==4.3.0
-    # via fastapi
+    #   starlette
+ujson==5.5.0
+    # via
+    #   -c requirements/../../../packages/models-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/postgres-database/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/service-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/service-library/requirements/./../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/settings-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/simcore-sdk/requirements/../../../packages/models-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/simcore-sdk/requirements/../../../packages/postgres-database/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/simcore-sdk/requirements/../../../packages/service-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/simcore-sdk/requirements/../../../packages/settings-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/simcore-sdk/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../requirements/constraints.txt
+    #   fastapi
 urllib3==1.26.9
     # via
     #   -c requirements/../../../packages/models-library/requirements/../../../requirements/constraints.txt

diff --git a/services/api-server/tests/unit/test__fastapi.py b/services/api-server/tests/unit/test__fastapi.py
@@ -114,6 +114,9 @@ def test_fastapi_route_paths_in_paths(client: TestClient, faker: Faker):
 
 
 def test_fastapi_route_name_parsing(client: TestClient, faker: Faker):
+    #
+    # Ensures ':' is allowed in routes
+    # SEE https://github.com/encode/starlette/pull/1657
 
     solver_key = Solver.Config.schema_extra["example"]["id"]
     version = Solver.Config.schema_extra["example"]["version"]

diff --git a/services/autoscaling/requirements/_base.txt b/services/autoscaling/requirements/_base.txt
@@ -33,7 +33,7 @@ dnspython==2.2.1
     # via email-validator
 email-validator==1.2.1
     # via pydantic
-fastapi==0.82.0
+fastapi==0.85.0
     # via
     #   -r requirements/../../../packages/service-library/requirements/_fastapi.in
     #   -r requirements/_base.in
@@ -114,7 +114,7 @@ sniffio==1.3.0
     #   anyio
     #   httpcore
     #   httpx
-starlette==0.19.1
+starlette==0.20.4
     # via fastapi
 tenacity==8.0.1
     # via

diff --git a/services/catalog/requirements/_base.txt b/services/catalog/requirements/_base.txt
@@ -51,7 +51,7 @@ email-validator==1.2.1
     # via
     #   fastapi
     #   pydantic
-fastapi==0.71.0
+fastapi==0.85.0
     # via
     #   -r requirements/../../../packages/service-library/requirements/_fastapi.in
     #   -r requirements/_base.in
@@ -191,7 +191,7 @@ sqlalchemy==1.4.37
     #   -r requirements/../../../packages/postgres-database/requirements/_base.in
     #   -r requirements/_base.in
     #   alembic
-starlette==0.17.1
+starlette==0.20.4
     # via fastapi
 tenacity==8.0.1
     # via
@@ -217,8 +217,16 @@ typing-extensions==4.3.0
     #   aiodebug
     #   aioredis
     #   pydantic
-ujson==4.3.0
-    # via fastapi
+    #   starlette
+ujson==5.5.0
+    # via
+    #   -c requirements/../../../packages/models-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/postgres-database/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/service-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/service-library/requirements/./../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/settings-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../requirements/constraints.txt
+    #   fastapi
 urllib3==1.26.9
     # via
     #   -c requirements/../../../packages/models-library/requirements/../../../requirements/constraints.txt

diff --git a/services/datcore-adapter/requirements/_base.txt b/services/datcore-adapter/requirements/_base.txt
@@ -54,7 +54,7 @@ ecdsa==0.14.1
     # via python-jose
 email-validator==1.2.1
     # via pydantic
-fastapi==0.75.1
+fastapi==0.85.0
     # via
     #   -r requirements/../../../packages/service-library/requirements/_fastapi.in
     #   -r requirements/_base.in
@@ -196,7 +196,7 @@ sniffio==1.2.0
     #   anyio
     #   httpcore
     #   httpx
-starlette==0.17.1
+starlette==0.20.4
     # via fastapi
 tenacity==8.0.1
     # via
@@ -220,6 +220,7 @@ typing-extensions==4.3.0
     # via
     #   aiodebug
     #   pydantic
+    #   starlette
 urllib3==1.26.9
     # via
     #   -c requirements/../../../packages/models-library/requirements/../../../requirements/constraints.txt

diff --git a/services/datcore-adapter/src/simcore_service_datcore_adapter/modules/remote_debug.py b/services/datcore-adapter/src/simcore_service_datcore_adapter/modules/remote_debug.py
@@ -38,4 +38,4 @@ def setup_remote_debugging(force_enabled=False, *, boot_mode=None):
         )
 
 
-__all__ = ["setup_remote_debugging"]
+__all__ = ("setup_remote_debugging",)
diff --git a/services/datcore-adapter/tests/unit/test_route_files.py b/services/datcore-adapter/tests/unit/test_route_files.py
@@ -1,8 +1,9 @@
-# pylint:disable=unused-variable
-# pylint:disable=unused-argument
-# pylint:disable=redefined-outer-name
+# pylint: disable=redefined-outer-name
+# pylint: disable=unused-argument
+# pylint: disable=unused-variable
 
-from typing import Dict
+from typing import Iterator
+from unittest.mock import Mock
 
 import httpx
 import pytest
@@ -14,7 +15,9 @@
 
 
 @pytest.fixture
-async def pennsieve_files_mock(pennsieve_subsystem_mock, pennsieve_file_id: str):
+async def pennsieve_files_mock(
+    pennsieve_subsystem_mock: Mock, pennsieve_file_id: str
+) -> Iterator[Mock]:
     mock = pennsieve_subsystem_mock
     if mock:
         FAKE_FILE_ID = "123434"
@@ -39,9 +42,9 @@ async def pennsieve_files_mock(pennsieve_subsystem_mock, pennsieve_file_id: str)
 
 async def test_download_file_entrypoint(
     async_client: httpx.AsyncClient,
-    pennsieve_subsystem_mock,
-    pennsieve_files_mock,
-    pennsieve_api_headers: Dict[str, str],
+    pennsieve_subsystem_mock: Mock,
+    pennsieve_files_mock: Mock,
+    pennsieve_api_headers: dict[str, str],
     pennsieve_file_id: str,
 ):
     file_id = pennsieve_file_id
@@ -57,9 +60,9 @@ async def test_download_file_entrypoint(
 
 async def test_delete_file_entrypoint(
     async_client: httpx.AsyncClient,
-    pennsieve_subsystem_mock,
-    pennsieve_files_mock,
-    pennsieve_api_headers: Dict[str, str],
+    pennsieve_subsystem_mock: Mock,
+    pennsieve_files_mock: Mock,
+    pennsieve_api_headers: dict[str, str],
     pennsieve_file_id: str,
 ):
     file_id = pennsieve_file_id
@@ -68,5 +71,4 @@ async def test_delete_file_entrypoint(
         headers=pennsieve_api_headers,
     )
     assert response.status_code == status.HTTP_204_NO_CONTENT
-    data = response.json()
-    assert not data
+    assert response.num_bytes_downloaded == 0
diff --git a/services/director-v2/requirements/_base.txt b/services/director-v2/requirements/_base.txt
@@ -121,7 +121,7 @@ email-validator==1.2.1
     # via
     #   fastapi
     #   pydantic
-fastapi==0.71.0
+fastapi==0.85.0
     # via
     #   -r requirements/../../../packages/service-library/requirements/_fastapi.in
     #   -r requirements/_base.in
@@ -370,7 +370,7 @@ sqlalchemy==1.4.37
     #   -r requirements/../../../packages/simcore-sdk/requirements/../../../packages/postgres-database/requirements/_base.in
     #   aiopg
     #   alembic
-starlette==0.17.1
+starlette==0.20.4
     # via fastapi
 tblib==1.7.0
     # via
@@ -416,8 +416,23 @@ typing-extensions==4.3.0
     #   aiodocker
     #   aioredis
     #   pydantic
-ujson==4.3.0
-    # via fastapi
+    #   starlette
+ujson==5.5.0
+    # via
+    #   -c requirements/../../../packages/dask-task-models-library/requirements/../../../packages/models-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/dask-task-models-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/models-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/postgres-database/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/service-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/service-library/requirements/./../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/settings-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/simcore-sdk/requirements/../../../packages/models-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/simcore-sdk/requirements/../../../packages/postgres-database/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/simcore-sdk/requirements/../../../packages/service-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/simcore-sdk/requirements/../../../packages/settings-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/simcore-sdk/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../requirements/constraints.txt
+    #   fastapi
 urllib3==1.26.9
     # via
     #   -c requirements/../../../packages/dask-task-models-library/requirements/../../../packages/models-library/requirements/../../../requirements/constraints.txt

diff --git a/services/dynamic-sidecar/openapi.json b/services/dynamic-sidecar/openapi.json
@@ -954,7 +954,14 @@
             "title": "Location",
             "type": "array",
             "items": {
-              "type": "string"
+              "anyOf": [
+                {
+                  "type": "string"
+                },
+                {
+                  "type": "integer"
+                }
+              ]
             }
           },
           "msg": {

diff --git a/services/dynamic-sidecar/requirements/_base.txt b/services/dynamic-sidecar/requirements/_base.txt
@@ -124,7 +124,7 @@ docopt==0.6.2
     # via docker-compose
 email-validator==1.2.1
     # via pydantic
-fastapi==0.71.0
+fastapi==0.85.0
     # via
     #   -r requirements/../../../packages/service-library/requirements/_fastapi.in
     #   -r requirements/_base.in
@@ -311,7 +311,7 @@ sqlalchemy==1.4.37
     #   -r requirements/../../../packages/simcore-sdk/requirements/../../../packages/postgres-database/requirements/_base.in
     #   aiopg
     #   alembic
-starlette==0.17.1
+starlette==0.20.4
     # via fastapi
 tenacity==8.0.1
     # via
@@ -344,6 +344,7 @@ typing-extensions==4.3.0
     #   aiodebug
     #   aiodocker
     #   pydantic
+    #   starlette
 urllib3==1.26.9
     # via
     #   -c requirements/../../../packages/models-library/requirements/../../../requirements/constraints.txt

diff --git a/services/storage/requirements/_base.txt b/services/storage/requirements/_base.txt
@@ -217,8 +217,15 @@ typing-extensions==4.3.0
     #   pydantic
     #   types-aiobotocore
     #   types-aiobotocore-s3
-ujson==5.3.0
-    # via aiohttp-swagger
+ujson==5.5.0
+    # via
+    #   -c requirements/../../../packages/models-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/postgres-database/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/service-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/service-library/requirements/./../../../requirements/constraints.txt
+    #   -c requirements/../../../packages/settings-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../requirements/constraints.txt
+    #   aiohttp-swagger
 urllib3==1.26.9
     # via
     #   -c requirements/../../../packages/models-library/requirements/../../../requirements/constraints.txt

diff --git a/services/web/server/requirements/_base.txt b/services/web/server/requirements/_base.txt
@@ -335,8 +335,20 @@ typing-extensions==4.3.0
     # via
     #   aiodebug
     #   pydantic
-ujson==5.3.0
-    # via aiohttp-swagger
+ujson==5.5.0
+    # via
+    #   -c requirements/../../../../packages/models-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../../packages/postgres-database/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../../packages/service-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../../packages/service-library/requirements/./../../../requirements/constraints.txt
+    #   -c requirements/../../../../packages/settings-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../../packages/simcore-sdk/requirements/../../../packages/models-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../../packages/simcore-sdk/requirements/../../../packages/postgres-database/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../../packages/simcore-sdk/requirements/../../../packages/service-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../../packages/simcore-sdk/requirements/../../../packages/settings-library/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../../packages/simcore-sdk/requirements/../../../requirements/constraints.txt
+    #   -c requirements/../../../../requirements/constraints.txt
+    #   aiohttp-swagger
 urllib3==1.26.11
     # via
     #   -c requirements/../../../../packages/models-library/requirements/../../../requirements/constraints.txt