From 633ec10f9768dd1c0d96a546b3a7c4e43d01da4c Mon Sep 17 00:00:00 2001 From: Eugen C <1533818+armab@users.noreply.github.com> Date: Wed, 25 Oct 2023 18:50:42 +0100 Subject: [PATCH 1/8] Bump orquesta to v1.6.0 --- contrib/runners/orquesta_runner/in-requirements.txt | 2 +- requirements-pants.txt | 2 +- requirements.txt | 2 +- st2common/in-requirements.txt | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/contrib/runners/orquesta_runner/in-requirements.txt b/contrib/runners/orquesta_runner/in-requirements.txt index 3302e48fad..8bf195dae4 100644 --- a/contrib/runners/orquesta_runner/in-requirements.txt +++ b/contrib/runners/orquesta_runner/in-requirements.txt @@ -1 +1 @@ -orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.5.0 +orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.6.0 diff --git a/requirements-pants.txt b/requirements-pants.txt index 3e07857de0..ef04eaaf91 100644 --- a/requirements-pants.txt +++ b/requirements-pants.txt @@ -31,7 +31,7 @@ mongoengine # networkx version is constrained in orquesta. networkx orjson -orquesta @ git+https://github.com/StackStorm/orquesta.git@v1.5.0 +orquesta @ git+https://github.com/StackStorm/orquesta.git@v1.6.0 # NOTE: Recent version substantially affect the performance and add big import time overhead # See https://github.com/StackStorm/st2/issues/4160#issuecomment-394386433 for details oslo.config>=1.12.1,<1.13 diff --git a/requirements.txt b/requirements.txt index bc2bbf4b9c..09beb13d6e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -37,7 +37,7 @@ nose nose-parallel==0.4.0 nose-timer==1.0.1 orjson==3.5.2 -orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.5.0 +orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.6.0 oslo.config>=1.12.1,<1.13 oslo.utils<5.0,>=4.0.0 paramiko==2.10.5 diff --git a/st2common/in-requirements.txt b/st2common/in-requirements.txt index 9580fa2fbe..1daa52fb8e 100644 --- a/st2common/in-requirements.txt +++ b/st2common/in-requirements.txt @@ -14,7 +14,7 @@ mongoengine networkx # used by networkx decorator -orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.5.0 +orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.6.0 st2-rbac-backend@ git+https://github.com/StackStorm/st2-rbac-backend.git@master oslo.config paramiko From 880e5d2c950e2758cd55f248c39073e8e89e7a3c Mon Sep 17 00:00:00 2001 From: Eugen C <1533818+armab@users.noreply.github.com> Date: Wed, 25 Oct 2023 21:18:44 +0100 Subject: [PATCH 2/8] Try to use python-version dependent requirements --- contrib/runners/orquesta_runner/requirements.txt | 2 +- fixed-requirements.txt | 5 +++-- requirements.txt | 5 +++-- st2common/requirements.txt | 7 ++++--- 4 files changed, 11 insertions(+), 8 deletions(-) diff --git a/contrib/runners/orquesta_runner/requirements.txt b/contrib/runners/orquesta_runner/requirements.txt index be64688128..cf26d58430 100644 --- a/contrib/runners/orquesta_runner/requirements.txt +++ b/contrib/runners/orquesta_runner/requirements.txt @@ -5,4 +5,4 @@ # If you want to update depdencies for a single component, modify the # in-requirements.txt for that component and then run 'make requirements' to # update the component requirements.txt -orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.5.0 +orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.6.0 diff --git a/fixed-requirements.txt b/fixed-requirements.txt index 14f562fdec..7b0b07137e 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -27,11 +27,12 @@ lockfile==0.12.2 MarkupSafe<2.1.0,>=0.23 mongoengine==0.23.0 # networkx v2.6 does not support Python3.6. Update networkx to match orquesta -networkx>=2.5.1,<2.6 +networkx>=2.5.1,<2.6; python_version < '3.7' +networkx>=2.6<3; python_version >= '3.7' # networkx requires decorator>=4.3,<5 which should resolve to version 4.4.2 # but the wheel on pypi does not say it supports python3.8, so pip gets # confused. For now, pin decorator to work around pip's confusion. -decorator==4.4.2 +decorator==4.4.2; python_version < '3.7' # NOTE: Recent version substantially affect the performance and add big import time overhead # See https://github.com/StackStorm/st2/issues/4160#issuecomment-394386433 for details oslo.config>=1.12.1,<1.13 diff --git a/requirements.txt b/requirements.txt index 09beb13d6e..55715b4402 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,7 +15,7 @@ cffi<1.15.0 chardet<3.1.0 ciso8601 cryptography==3.4.7 -decorator==4.4.2 +decorator==4.4.2; python_version < '3.7' dnspython>=1.16.0,<2.0.0 eventlet==0.30.2 flex==6.14.1 @@ -32,7 +32,8 @@ lockfile==0.12.2 logshipper@ git+https://github.com/StackStorm/logshipper.git@stackstorm_patched ; platform_system=="Linux" mock==4.0.3 mongoengine==0.23.0 -networkx>=2.5.1,<2.6 +networkx>=2.5.1,<2.6; python_version < '3.7' +networkx>=2.6<3; python_version >= '3.7' nose nose-parallel==0.4.0 nose-timer==1.0.1 diff --git a/st2common/requirements.txt b/st2common/requirements.txt index b10f6b5fe1..f27883027b 100644 --- a/st2common/requirements.txt +++ b/st2common/requirements.txt @@ -12,7 +12,7 @@ cffi<1.15.0 chardet<3.1.0 ciso8601 cryptography==3.4.7 -decorator==4.4.2 +decorator==4.4.2; python_version < '3.7' dnspython>=1.16.0,<2.0.0 eventlet==0.30.2 flex==6.14.1 @@ -25,9 +25,10 @@ jsonschema==2.6.0 kombu==5.0.2 lockfile==0.12.2 mongoengine==0.23.0 -networkx>=2.5.1,<2.6 +networkx>=2.5.1,<2.6; python_version < '3.7' +networkx>=2.6<3; python_version >= '3.7' orjson==3.5.2 -orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.5.0 +orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.6.0 oslo.config>=1.12.1,<1.13 paramiko==2.10.5 pyOpenSSL<=21.0.0 From 4e1314798e21cd800bfd8c4daeccb2bab6aac01a Mon Sep 17 00:00:00 2001 From: Eugen C <1533818+armab@users.noreply.github.com> Date: Thu, 26 Oct 2023 17:51:16 +0100 Subject: [PATCH 3/8] Update fixate-requirements to handle markers Make sure lines with markers are considered as unique requirements and can be duplicated --- fixed-requirements.txt | 1 + scripts/fixate-requirements.py | 9 +++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/fixed-requirements.txt b/fixed-requirements.txt index 7b0b07137e..ae4921ad2a 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -28,6 +28,7 @@ MarkupSafe<2.1.0,>=0.23 mongoengine==0.23.0 # networkx v2.6 does not support Python3.6. Update networkx to match orquesta networkx>=2.5.1,<2.6; python_version < '3.7' +# use patched v2.6 networkx for Python3.8 to match orquesta networkx>=2.6<3; python_version >= '3.7' # networkx requires decorator>=4.3,<5 which should resolve to version 4.4.2 # but the wheel on pypi does not say it supports python3.8, so pip gets diff --git a/scripts/fixate-requirements.py b/scripts/fixate-requirements.py index e7b8377297..dc34b39ef3 100755 --- a/scripts/fixate-requirements.py +++ b/scripts/fixate-requirements.py @@ -136,8 +136,8 @@ def merge_source_requirements(sources): # Requirements starting with project name "project ..." parsedreq = parse_req_from_line(req.requirement, req.line_source) if parsedreq.requirement: - # Skip already added project name - if parsedreq.requirement.name in projects: + # Skip already added project name, unless it has markers + if parsedreq.requirement.name in projects and not parsedreq.markers: continue projects.add(parsedreq.requirement.name) merged_requirements.append(req) @@ -181,6 +181,9 @@ def write_requirements( if hasattr(req, "requirement"): parsedreq = parse_req_from_line(req.requirement, req.line_source) project_name = parsedreq.requirement.name + # consider requirements with markers as unique + if parsedreq.markers: + project_name = f"{project_name};{parsedreq.markers}" if not req.requirement: continue @@ -228,6 +231,8 @@ def write_requirements( rline = "-e %s" % (rline) elif hasattr(req, "requirement") and req.requirement: project = parsedreq.requirement.name + if parsedreq.markers: + project = f"{project};{parsedreq.markers}" req_obj = fixedreq_hash.get(project, req) rline = str(req_obj.requirement) From aa4e19ed4d6f73d8c9d4f1f72a8a43cc20d92fe6 Mon Sep 17 00:00:00 2001 From: Eugen C <1533818+armab@users.noreply.github.com> Date: Thu, 26 Oct 2023 19:56:46 +0100 Subject: [PATCH 4/8] Alternative: Unpin networkx as it's pinned by orquesta depending on the python version --- fixed-requirements.txt | 8 -------- requirements.txt | 5 ++--- scripts/fixate-requirements.py | 9 ++------- st2common/requirements.txt | 5 ++--- 4 files changed, 6 insertions(+), 21 deletions(-) diff --git a/fixed-requirements.txt b/fixed-requirements.txt index ae4921ad2a..ed73e50342 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -26,14 +26,6 @@ lockfile==0.12.2 # >=0.23 was from jinja2 MarkupSafe<2.1.0,>=0.23 mongoengine==0.23.0 -# networkx v2.6 does not support Python3.6. Update networkx to match orquesta -networkx>=2.5.1,<2.6; python_version < '3.7' -# use patched v2.6 networkx for Python3.8 to match orquesta -networkx>=2.6<3; python_version >= '3.7' -# networkx requires decorator>=4.3,<5 which should resolve to version 4.4.2 -# but the wheel on pypi does not say it supports python3.8, so pip gets -# confused. For now, pin decorator to work around pip's confusion. -decorator==4.4.2; python_version < '3.7' # NOTE: Recent version substantially affect the performance and add big import time overhead # See https://github.com/StackStorm/st2/issues/4160#issuecomment-394386433 for details oslo.config>=1.12.1,<1.13 diff --git a/requirements.txt b/requirements.txt index 55715b4402..f140d80bae 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,7 +15,7 @@ cffi<1.15.0 chardet<3.1.0 ciso8601 cryptography==3.4.7 -decorator==4.4.2; python_version < '3.7' +decorator dnspython>=1.16.0,<2.0.0 eventlet==0.30.2 flex==6.14.1 @@ -32,8 +32,7 @@ lockfile==0.12.2 logshipper@ git+https://github.com/StackStorm/logshipper.git@stackstorm_patched ; platform_system=="Linux" mock==4.0.3 mongoengine==0.23.0 -networkx>=2.5.1,<2.6; python_version < '3.7' -networkx>=2.6<3; python_version >= '3.7' +networkx nose nose-parallel==0.4.0 nose-timer==1.0.1 diff --git a/scripts/fixate-requirements.py b/scripts/fixate-requirements.py index dc34b39ef3..e7b8377297 100755 --- a/scripts/fixate-requirements.py +++ b/scripts/fixate-requirements.py @@ -136,8 +136,8 @@ def merge_source_requirements(sources): # Requirements starting with project name "project ..." parsedreq = parse_req_from_line(req.requirement, req.line_source) if parsedreq.requirement: - # Skip already added project name, unless it has markers - if parsedreq.requirement.name in projects and not parsedreq.markers: + # Skip already added project name + if parsedreq.requirement.name in projects: continue projects.add(parsedreq.requirement.name) merged_requirements.append(req) @@ -181,9 +181,6 @@ def write_requirements( if hasattr(req, "requirement"): parsedreq = parse_req_from_line(req.requirement, req.line_source) project_name = parsedreq.requirement.name - # consider requirements with markers as unique - if parsedreq.markers: - project_name = f"{project_name};{parsedreq.markers}" if not req.requirement: continue @@ -231,8 +228,6 @@ def write_requirements( rline = "-e %s" % (rline) elif hasattr(req, "requirement") and req.requirement: project = parsedreq.requirement.name - if parsedreq.markers: - project = f"{project};{parsedreq.markers}" req_obj = fixedreq_hash.get(project, req) rline = str(req_obj.requirement) diff --git a/st2common/requirements.txt b/st2common/requirements.txt index f27883027b..637c7b9018 100644 --- a/st2common/requirements.txt +++ b/st2common/requirements.txt @@ -12,7 +12,7 @@ cffi<1.15.0 chardet<3.1.0 ciso8601 cryptography==3.4.7 -decorator==4.4.2; python_version < '3.7' +decorator dnspython>=1.16.0,<2.0.0 eventlet==0.30.2 flex==6.14.1 @@ -25,8 +25,7 @@ jsonschema==2.6.0 kombu==5.0.2 lockfile==0.12.2 mongoengine==0.23.0 -networkx>=2.5.1,<2.6; python_version < '3.7' -networkx>=2.6<3; python_version >= '3.7' +networkx orjson==3.5.2 orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.6.0 oslo.config>=1.12.1,<1.13 From 7f47b3606fd820c7319096d2a0b426d0d20da584 Mon Sep 17 00:00:00 2001 From: Eugen C <1533818+armab@users.noreply.github.com> Date: Fri, 27 Oct 2023 13:23:32 +0100 Subject: [PATCH 5/8] Add a Changelog for #6050 --- CHANGELOG.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index a319356872..80446d85ed 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -6,6 +6,8 @@ in development Fixed ~~~~~ +* Update orquesta to v1.6.0 to fix outdated dependencies (security). #6050 + * Fix issue with linux pack actions failed to run remotely due to incorrect python shebang. #5983 #6042 Contributed by Ronnie Hoffmann (@ZoeLeah Schwarz IT KG) From abf9a808932e593bebebb5455f487fbc105e45be Mon Sep 17 00:00:00 2001 From: Eugen C <1533818+armab@users.noreply.github.com> Date: Fri, 27 Oct 2023 13:46:26 +0100 Subject: [PATCH 6/8] Use networkx<3 to match orquesta --- fixed-requirements.txt | 2 ++ requirements.txt | 2 +- st2common/requirements.txt | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/fixed-requirements.txt b/fixed-requirements.txt index ed73e50342..b95c54f845 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -26,6 +26,8 @@ lockfile==0.12.2 # >=0.23 was from jinja2 MarkupSafe<2.1.0,>=0.23 mongoengine==0.23.0 +# required by orquesta +networkx<3 # NOTE: Recent version substantially affect the performance and add big import time overhead # See https://github.com/StackStorm/st2/issues/4160#issuecomment-394386433 for details oslo.config>=1.12.1,<1.13 diff --git a/requirements.txt b/requirements.txt index f140d80bae..05e78d0da0 100644 --- a/requirements.txt +++ b/requirements.txt @@ -32,7 +32,7 @@ lockfile==0.12.2 logshipper@ git+https://github.com/StackStorm/logshipper.git@stackstorm_patched ; platform_system=="Linux" mock==4.0.3 mongoengine==0.23.0 -networkx +networkx<3 nose nose-parallel==0.4.0 nose-timer==1.0.1 diff --git a/st2common/requirements.txt b/st2common/requirements.txt index 637c7b9018..93ff1e88d5 100644 --- a/st2common/requirements.txt +++ b/st2common/requirements.txt @@ -25,7 +25,7 @@ jsonschema==2.6.0 kombu==5.0.2 lockfile==0.12.2 mongoengine==0.23.0 -networkx +networkx<3 orjson==3.5.2 orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.6.0 oslo.config>=1.12.1,<1.13 From 6cd25e898a0cdd38987c247984c5b0b32faf6df8 Mon Sep 17 00:00:00 2001 From: Eugen C <1533818+armab@users.noreply.github.com> Date: Fri, 27 Oct 2023 14:16:16 +0100 Subject: [PATCH 7/8] Revert requirements for decorator, it doesn't affect anything --- fixed-requirements.txt | 6 +++++- requirements-pants.txt | 2 +- requirements.txt | 2 +- st2common/requirements.txt | 2 +- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/fixed-requirements.txt b/fixed-requirements.txt index b95c54f845..5bd09455a3 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -26,8 +26,12 @@ lockfile==0.12.2 # >=0.23 was from jinja2 MarkupSafe<2.1.0,>=0.23 mongoengine==0.23.0 -# required by orquesta +# required by orquesta (networkx<2.6 for py3.6, networkx<3 for py3.8) networkx<3 +# networkx requires decorator>=4.3,<5 which should resolve to version 4.4.2 +# but the wheel on pypi does not say it supports python3.8, so pip gets +# confused. For now, pin decorator to work around pip's confusion. +decorator==4.4.2 # NOTE: Recent version substantially affect the performance and add big import time overhead # See https://github.com/StackStorm/st2/issues/4160#issuecomment-394386433 for details oslo.config>=1.12.1,<1.13 diff --git a/requirements-pants.txt b/requirements-pants.txt index ef04eaaf91..42a4548b5d 100644 --- a/requirements-pants.txt +++ b/requirements-pants.txt @@ -29,7 +29,7 @@ mock mongoengine # Note: networkx v2.6 dropped support for Python3.6 # networkx version is constrained in orquesta. -networkx +networkx<3 orjson orquesta @ git+https://github.com/StackStorm/orquesta.git@v1.6.0 # NOTE: Recent version substantially affect the performance and add big import time overhead diff --git a/requirements.txt b/requirements.txt index 05e78d0da0..1a85346273 100644 --- a/requirements.txt +++ b/requirements.txt @@ -15,7 +15,7 @@ cffi<1.15.0 chardet<3.1.0 ciso8601 cryptography==3.4.7 -decorator +decorator==4.4.2 dnspython>=1.16.0,<2.0.0 eventlet==0.30.2 flex==6.14.1 diff --git a/st2common/requirements.txt b/st2common/requirements.txt index 93ff1e88d5..c0aba3dbb4 100644 --- a/st2common/requirements.txt +++ b/st2common/requirements.txt @@ -12,7 +12,7 @@ cffi<1.15.0 chardet<3.1.0 ciso8601 cryptography==3.4.7 -decorator +decorator==4.4.2 dnspython>=1.16.0,<2.0.0 eventlet==0.30.2 flex==6.14.1 From f0e0bfa829f37240e8d8c44526a82f24cba26154 Mon Sep 17 00:00:00 2001 From: Eugen C <1533818+armab@users.noreply.github.com> Date: Fri, 27 Oct 2023 15:18:18 +0100 Subject: [PATCH 8/8] Revert networkx version for pants --- requirements-pants.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-pants.txt b/requirements-pants.txt index 42a4548b5d..ef04eaaf91 100644 --- a/requirements-pants.txt +++ b/requirements-pants.txt @@ -29,7 +29,7 @@ mock mongoengine # Note: networkx v2.6 dropped support for Python3.6 # networkx version is constrained in orquesta. -networkx<3 +networkx orjson orquesta @ git+https://github.com/StackStorm/orquesta.git@v1.6.0 # NOTE: Recent version substantially affect the performance and add big import time overhead