Fixed safety issues up to 2024-05-17

Signed-off-by: Andreas Maier <maiera@de.ibm.com>
zhmcclient · May 17, 2024 · e0dfc7c · e0dfc7c
1 parent 3b14d94
commit e0dfc7c
Show file tree

Hide file tree

Showing 6 changed files with 41 additions and 10 deletions.
diff --git a/.safety-policy-all.yml b/.safety-policy-all.yml
@@ -120,6 +120,20 @@ security:
             reason: Fixed tornado version 6.3.3 requires Python>=3.8 and is used there
         62044:
             reason: Fixed pip version 23.3 requires Python>=3.7 and is used there
+        63687:
+            reason: Fixed gitpython version 3.1.41 requires Python>=3.7 and is used there
+        64227:
+            reason: Fixed Jinja2 version 3.1.3 requires Python>=3.7 and is used there
+        67599:
+            reason: There is no fixed pip version
+        67884:
+            # TODO: Adjust once we remove stomp-py pinning
+            reason: Fixed stomp-py version 8.1.1 conflicts with our pinning of stomp-py to <7.0.0
+        67894:
+            # TODO: Adjust once we remove stomp-py pinning
+            reason: Fixed stomp-py version 8.1.1 conflicts with our pinning of stomp-py to <7.0.0
+        67895:
+            reason: Fixed idna version 3.7 requires Python>=3.5 and is used there
 
     # Continue with exit code 0 when vulnerabilities are found.
     continue-on-vulnerability-error: False
diff --git a/.safety-policy-install.yml b/.safety-policy-install.yml
@@ -30,6 +30,16 @@ security:
             reason: Fixed Certifi version requires Python>=3.6 and is used there
         52495:
             reason: Fixed Setuptools version requires Python>=3.7 and is used there; Risk is on Pypi side
+        67599:
+            reason: There is no fixed pip version
+        67884:
+            # TODO: Adjust once we remove stomp-py pinning
+            reason: Fixed stomp-py version 8.1.1 conflicts with our pinning of stomp-py to <7.0.0
+        67894:
+            # TODO: Adjust once we remove stomp-py pinning
+            reason: Fixed stomp-py version 8.1.1 conflicts with our pinning of stomp-py to <7.0.0
+        67895:
+            reason: Fixed idna version 3.7 requires requests>=2.26.0 which requires Python>=3.6 and is used there
 
     # Continue with exit code 0 when vulnerabilities are found.
     continue-on-vulnerability-error: False
diff --git a/dev-requirements.txt b/dev-requirements.txt
@@ -95,7 +95,7 @@ Sphinx>=7.2.0; python_version >= '3.9'
 # Sphinx 7.1.0 pins docutils to <0.21
 docutils>=0.18.1,<0.21; python_version == '3.8'
 sphinx-git>=10.1.1; python_version >= '3.8'
-GitPython>=3.1.37; python_version >= '3.8'
+GitPython>=3.1.41; python_version >= '3.8'
 Pygments>=2.15.0; python_version >= '3.8'
 sphinx-rtd-theme>=2.0.0; python_version >= '3.8'
 sphinxcontrib-applehelp>=1.0.4; python_version >= '3.8'
@@ -119,11 +119,11 @@ Babel>=2.9.1; python_version >= '3.8'
 # Issue #2673: Pinning Pylint to <2.7.0 is a circumvention for Pylint issue
 #   https://github.com/PyCQA/pylint/issues/4120 that appears in Pylint 2.7.0.
 #   Pylint 2.10 has fixed the issue.
-pylint>=2.5.2,<2.7.0; python_version == '3.5'
+pylint>=2.6.2,<2.7.0; python_version == '3.5'
 pylint>=2.13.0,<2.14.0; python_version == '3.6'
 pylint>=2.13.0; python_version >= '3.7' and python_version <= '3.10'
 pylint>=2.15.0; python_version >= '3.11'
-astroid>=2.4.0,<2.6.0; python_version == '3.5'
+astroid>=2.4.2,<2.6.0; python_version == '3.5'
 astroid>=2.11.0; python_version >= '3.6' and python_version <= '3.10'
 astroid>=2.12.4; python_version >= '3.11'
 typed-ast>=1.4.0,<1.5.0; python_version >= '3.6' and python_version < '3.8' and implementation_name=='cpython'

diff --git a/docs/changes.rst b/docs/changes.rst
@@ -31,6 +31,8 @@ Released: not yet
 
 **Bug fixes:**
 
+* Fixed safety issues up to 2024-05-17.
+
 * In the Github Actions test workflow for Python 3.5, 3.6 and 3.7, changed
   macos-latest back to macos-12 because macos-latest got upgraded from macOS 12
   to macOS 14 which no longer supports these Python versions.

diff --git a/minimum-constraints.txt b/minimum-constraints.txt
@@ -98,7 +98,8 @@ wheel==0.38.1; python_version >= '3.7'
 decorator==4.0.11
 pytz==2016.10; python_version <= '3.9'
 pytz==2019.1; python_version >= '3.10'
-requests==2.25.0; python_version <= '3.6'
+requests==2.25.0; python_version <= '3.5'
+requests==2.26.0; python_version == '3.6'
 requests==2.31.0; python_version >= '3.7'
 six==1.14.0; python_version <= '3.9'
 six==1.16.0; python_version >= '3.10'
@@ -123,7 +124,9 @@ certifi==2019.9.11; python_version <= '3.5'
 certifi==2023.07.22; python_version >= '3.6'
 chardet==3.0.3
 docopt==0.6.2
-idna==2.5
+# idna>3 requires using requests >=2.26.0
+idna==2.5; python_version <= '3.5'
+idna==3.7; python_version >= '3.6'
 urllib3==1.26.18; python_version == '2.7'
 urllib3==1.26.9; python_version == '3.5'
 urllib3==1.26.18; python_version >= '3.6'
@@ -190,7 +193,7 @@ Sphinx==7.1.0; python_version == '3.8'
 Sphinx==7.2.0; python_version >= '3.9'
 docutils==0.18.1; python_version >= '3.8'
 sphinx-git==10.1.1; python_version >= '3.8'
-GitPython==3.1.37; python_version >= '3.8'
+GitPython==3.1.41; python_version >= '3.8'
 Pygments==2.15.0; python_version >= '3.8'
 sphinx-rtd-theme==2.0.0; python_version >= '3.8'
 sphinxcontrib-applehelp==1.0.4; python_version >= '3.8'
@@ -206,10 +209,10 @@ autodocsumm==0.2.12; python_version >= '3.8'
 Babel==2.9.1; python_version >= '3.8'
 
 # PyLint (no imports, invoked via pylint script):
-pylint==2.5.2; python_version == '3.5'
+pylint==2.6.2; python_version == '3.5'
 pylint==2.13.0; python_version >= '3.6' and python_version <= '3.10'
 pylint==2.15.0; python_version >= '3.11'
-astroid==2.4.0; python_version == '3.5'
+astroid==2.4.2; python_version == '3.5'
 astroid==2.11.0; python_version >= '3.6' and python_version <= '3.10'
 astroid==2.12.4; python_version >= '3.11'
 typed-ast==1.4.0; python_version >= '3.6' and python_version < '3.8' and implementation_name=='cpython'
@@ -335,7 +338,8 @@ imagesize==1.3.0
 importlib-resources==1.4.0
 jedi==0.17.2; python_version >= '3.5'
 Jinja2==2.11.3; python_version <= '3.5'
-Jinja2==3.0.0; python_version >= '3.6'
+Jinja2==3.0.0; python_version == '3.6'
+Jinja2==3.1.3; python_version >= '3.7'
 keyring==18.0.0
 lxml==4.9.2
 MarkupSafe==1.1.1; python_version <= '3.5'

diff --git a/requirements.txt b/requirements.txt
@@ -20,7 +20,8 @@ pytz>=2019.1; python_version >= '3.10'  # MIT
 
 # requests 2.25.0 tolerates urllib3 1.26.5 which is needed on Python 3.10 to
 #   remove ImportWarning in six
-requests>=2.25.0; python_version <= '3.6'
+requests>=2.25.0; python_version <= '3.5'
+requests>=2.26.0; python_version == '3.6'
 requests>=2.31.0; python_version >= '3.7'
 
 # six 1.16.0 removes the ImportWarning raised by Python 3.10