Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgrade requests to 2.32.2 #4772

Merged
merged 3 commits into from
May 24, 2024
Merged

upgrade requests to 2.32.2 #4772

merged 3 commits into from
May 24, 2024

Conversation

acwhite211
Copy link
Member

@acwhite211 acwhite211 commented Apr 10, 2024
edited

Fixes #4771

Upgrades the python library 'request' from version 2.28.1 to at least version 2.31.0 or later in order to fix the security vulnerability pointed out here

Checklist

  • Self-review the PR after opening it to make sure the changes look good
    and self-explanatory (or properly documented)
  • Add relevant issue to release milestone

Testing instructions

There is not specific test to perform. Testing for this PR will be covered in the general testing checklist.
For now, test:

  • Simple queries work in the QB
  • Opening forms work
  • Viewing trees work
  • Create a report
  • Create or Delete attachment

@acwhite211 acwhite211 added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Apr 10, 2024
@acwhite211 acwhite211 added this to the 7.9.6 milestone Apr 10, 2024
@acwhite211 acwhite211 self-assigned this Apr 10, 2024
@acwhite211 acwhite211 marked this pull request as ready for review May 21, 2024 17:28
@melton-jason
Copy link
Contributor

Fixes #4771

Upgrades the python library 'request' from version 2.28.1 to at least version 2.31.0 or later in order to fix the security vulnerability pointed out here

Is this the right link to the dependabot alert? https://github.com/specify/specify7-test-panel/security/dependabot/19

That alert is on the test panel repository, and unrelated to Python and the requests library.
There are currently two dependabot alerts for the requests library:
https://github.com/specify/specify7/security/dependabot?q=is%3Aopen+package%3Arequests+

Both recommend upgrading to 2.32.0 (although https://github.com/specify/specify7/security/dependabot/67 was patched in 2.31.0).
Are there any issues with instead updating to 2.32.0?

@acwhite211
Copy link
Member Author

acwhite211 commented May 21, 2024
edited

Are there any issues with instead updating to 2.32.0?

@melton-jason Looks like version 2.32.0 for the requests module just got pushed two days ago. I'll go ahead update it to 2.32.2

https://pypi.org/project/requests/#history

Lol, they yanked 2.32.0 and 2.32.1 releases... we've never done that 😆

@acwhite211 acwhite211 requested a review from emenslin May 22, 2024 19:52
emenslin
emenslin requested changes May 23, 2024
View reviewed changes
Copy link
Collaborator

@emenslin emenslin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Testing instructions

There is not specific test to perform. Testing for this PR will be covered in the general testing checklist.
For now, test:

  • Simple queries work in the QB
  • Opening forms work
  • Viewing trees work

Collectors and groups subforms are broken again

pySMYEM8Nt.mp4
RHYKUIgz8P.mp4

@melton-jason melton-jason changed the title upgrade requests to 2.31.0 upgrade requests to 2.32.2 May 23, 2024
@melton-jason
Copy link
Contributor

@emenslin

Looks like this PR was based from an old commit (from April 10) and had not been merged with production since then.
Now that this branch has been updated, can this be tested again?

emenslin
emenslin approved these changes May 23, 2024
View reviewed changes
Copy link
Collaborator

@emenslin emenslin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Testing instructions

There is not specific test to perform. Testing for this PR will be covered in the general testing checklist.
For now, test:

  • Simple queries work in the QB
  • Opening forms work
  • Viewing trees work

Looks good!

@emenslin emenslin requested a review from a team May 23, 2024 19:42
@realVinayak
Copy link
Collaborator

None of those tests requests explicitly AFAIK.

  1. try making reports
  2. try deleting attachments
  3. try SSO login

@acwhite211 acwhite211 merged commit 41a222e into production May 24, 2024
9 checks passed
@acwhite211 acwhite211 deleted the issue-4771 branch May 24, 2024 16:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sharadsw sharadsw sharadsw approved these changes

@CarolineDenis CarolineDenis CarolineDenis approved these changes

@emenslin emenslin emenslin approved these changes

@maxpatiiuk maxpatiiuk Awaiting requested review from maxpatiiuk

@melton-jason melton-jason Awaiting requested review from melton-jason

@pashiav pashiav Awaiting requested review from pashiav

Assignees

@acwhite211 acwhite211

Labels
dependencies Pull requests that update a dependency file python Pull requests that update Python code
Projects
General Tester Board
Status: Done
Milestone
7.9.6
Development

Successfully merging this pull request may close these issues.

Upgrade requests library to v2.31.0 or later
6 participants
@acwhite211 @melton-jason @realVinayak @sharadsw @CarolineDenis @emenslin