-
-
Notifications
You must be signed in to change notification settings - Fork 584
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make actions happy #2311
Open
matthewhughes934
wants to merge
6
commits into
PyCQA:main
Choose a base branch
from
matthewhughes934:make-actions-happy
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Make actions happy #2311
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This requires handling upstream (see linked issue), trying to bump this dependency errored with: Because mkdocs-material (9.5.32) depends on mkdocs (>=1.6,<2.0) and portray (1.8.0) depends on mkdocs (>=1.3.0,<1.4.0), mkdocs-material (9.5.32) is incompatible with portray (1.8.0). And because no versions of portray match >1.8.0, mkdocs-material (9.5.32) is incompatible with portray (>=1.8.0). So, because isort depends on both portray (>=1.8.0) and mkdocs-material (9.5.32), version solving failed.
Bump `jinja` -> Vulnerability found in jinja2 version 3.1.3 Vulnerability ID: 71591 Affected spec: <3.1.4 ADVISORY: Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute... CVE-2024-34064 For more information, please visit https://data.safetycli.com/v/71591/f17 Bump `anyio` -> Vulnerability found in anyio version 4.1.0 Vulnerability ID: 71199 Affected spec: <4.4.0 ADVISORY: Anyio version 4.4.0 addresses a thread race condition in `_eventloop.get_asynclib()` that caused crashes when multiple event loops... PVE-2024-71199 For more information, please visit https://data.safetycli.com/v/71199/f17 Bump `bandit` -> Vulnerability found in bandit version 1.7.6 Vulnerability ID: 64484 Affected spec: <1.7.7 ADVISORY: Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing... PVE-2024-64484 For more information, please visit https://data.safetycli.com/v/64484/f17 Bump `certifi` -> Vulnerability found in certifi version 2023.11.17 Vulnerability ID: 72083 Affected spec: >=2021.05.30,<2024.07.04 ADVISORY: Certifi affected versions recognized root certificates from GLOBALTRUST. Certifi patch removes these root certificates from the root... CVE-2024-39689 For more information, please visit https://data.safetycli.com/v/72083/f17 Bump `idna` -> Vulnerability found in idna version 3.6 Vulnerability ID: 67895 Affected spec: <3.7 ADVISORY: Affected versions of Idna are vulnerable to Denial Of Service via the idna.encode(), where a specially crafted argument could... CVE-2024-3651 For more information, please visit https://data.safetycli.com/v/67895/f17 Bump `requests` -> Vulnerability found in requests version 2.31.0 Vulnerability ID: 71064 Affected spec: <2.32.2 ADVISORY: Affected versions of Requests, when making requests through a Requests `Session`, if the first request is made with `verify=False` to... CVE-2024-35195 For more information, please visit https://data.safetycli.com/v/71064/f17 Bump `setuptools` -> Vulnerability found in requests version 2.31.0 Vulnerability ID: 71064 Affected spec: <2.32.2 ADVISORY: Affected versions of Requests, when making requests through a Requests `Session`, if the first request is made with `verify=False` to... CVE-2024-35195 For more information, please visit https://data.safetycli.com/v/71064/f17 Bump `tornado` -> Vulnerability found in tornado version 6.4 Vulnerability ID: 71957 Affected spec: <=6.4.0 ADVISORY: When Tornado receives a request with two Transfer-Encoding: chunked headers, it ignores them both. This enables request smuggling when... PVE-2024-71957 For more information, please visit https://data.safetycli.com/v/71957/f17 -> Vulnerability found in tornado version 6.4 Vulnerability ID: 71956 Affected spec: <6.4.1 ADVISORY: Tornado’s curl_httpclient.CurlAsyncHTTPClient class is vulnerable to CRLF (carriage return/line feed) injection in the request... PVE-2024-71956 For more information, please visit https://data.safetycli.com/v/71956/f17 Bump `urllib3` -> Vulnerability found in urllib3 version 2.1.0 Vulnerability ID: 71608 Affected spec: >=2.0.0a1,<=2.2.1 ADVISORY: Urllib3's ProxyManager ensures that the Proxy-Authorization header is correctly directed only to configured proxies. However, when... CVE-2024-37891 For more information, please visit https://data.safetycli.com/v/71608/f17 Bump `zipp` -> Vulnerability found in zipp version 3.17.0 Vulnerability ID: 72132 Affected spec: <3.19.1 ADVISORY: A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library. The vulnerability is triggered when processing a... CVE-2024-5569 For more information, please visit https://data.safetycli.com/v/72132/f17 Bump `virutalenv` -> Vulnerability found in virtualenv version 20.25.0 Vulnerability ID: 73456 Affected spec: <20.26.6 ADVISORY: Affected versions of the virtualenv package are vulnerable to command injection. This vulnerability could allow an attacker to execute arbitrary commands by exploiting improperly quoted string placeholders in activation scripts. The vulnerable functions include various shell activation scripts where placeholders like __VIRTUAL_ENV__ are used. The exploitability depends on the ability to control the input to these placeholders. Users are advised to update to the version where a quoting mechanism has been implemented to mitigate this... PVE-2024-73456 For more information, please visit https://data.safetycli.com/v/73456/f17
-> Vulnerability found in black version 23.11.0 Vulnerability ID: 66742 Affected spec: <24.3.0 ADVISORY: Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the... CVE-2024-21503 For more information, please visit https://data.safetycli.com/v/66742/f17 Also re-run `black` to pick up any changes from the new version and update some unit test that relied on how black formats.
`pipx` is installed on all the runners by default, but using this means `pipx` is run with the system Python, and not the one installed with `steup-python`. This was noticed when e.g. the MacOS Python 3.9 job would report: creating virtual environment... creating shared libraries... upgrading shared libraries... installing poetry... done! ✨ 🌟 ✨ installed package poetry 1.3.1, installed using Python 3.13.0 These apps are now globally available - poetry Poetry (version 1.3.1) Python 3.13.0 is the system version pre-installed on these runners[1], and a similar pattern was seen on the Ubuntu and Windows runners. An alternative would be to add an install step for `pipx` but this feels simpler Link: https://github.com/actions/runner-images/blob/de16eefce8361c24c716958843d8c87cb1c25990/images/macos/macos-14-Readme.md [1]
This is to address an error seen on some Python 3.12 runners: <-- SNIP --> File "/Library/Frameworks/Python.framework/Versions/3.12/lib/python3.12/site-packages/pip/_vendor/pkg_resources/__init__.py", line 2164, in <module> register_finder(pkgutil.ImpImporter, find_on_path) ^^^^^^^^^^^^^^^^^^^ AttributeError: module 'pkgutil' has no attribute 'ImpImporter'. Did you mean: 'zipimporter'? ^^^^^^^^^^^^^^^^^^^ This looks to be the issue[1] fixed in Pip 23.2 so use that verison Link: pypa/pip#11501 [1]
It complained about an else-return issue[1] and some commented-out code Link: https://pylint.pycqa.org/en/latest/user_guide/messages/refactor/no-else-return.html [1]
Closed
eirnym
approved these changes
Dec 10, 2024
I've also created a separate fork https://github.com/matthewhughes934/isort-fork where I've done some more work on dependencies: bringing everything up to date and including |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ignore security issue with
mkdocs-material
This requires handling upstream (see linked issue), trying to bump this
dependency errored with:
Bump some dependencies for security fixes
Bump
jinja
Bump
anyio
Bump
bandit
Bump
certifi
Bump
idna
Bump
requests
Bump
setuptools
Bump
tornado
Bump
urllib3
Bump
zipp
Bump
virutalenv
Update
black
Also re-run
black
to pick up any changes from the new version andupdate some unit test that relied on how black formats.
CI: use
pip
over `pipx for poetry installpipx
is installed on all the runners by default, but using this meanspipx
is run with the system Python, and not the one installed withsteup-python
. This was noticed when e.g. the MacOS Python 3.9 jobwould report:
Python 3.13.0 is the system version pre-installed on these runners[1],
and a similar pattern was seen on the Ubuntu and Windows runners. An
alternative would be to add an install step for
pipx
but this feelssimpler
Link: https://github.com/actions/runner-images/blob/de16eefce8361c24c716958843d8c87cb1c25990/images/macos/macos-14-Readme.md [1]
Update
pip
for GitHub runnerThis is to address an error seen on some Python 3.12 runners:
This looks to be the issue[1] fixed in Pip 23.2 so use that verison
Link: pip's vendored pkg_resources should stop using pkgutil.ImpImporter pypa/pip#11501 [1]
Update code to address
deepsource
errorsIt complained about an else-return issue[1] and some commented-out code
Link: https://pylint.pycqa.org/en/latest/user_guide/messages/refactor/no-else-return.html [1]