Bump up the lower bound on ansible-core

This is being done because the pip-audit pre-commit hook identifies a vulnerability in ansible-core version 2.16.13. Note that this requires that we bump up ansible to version 10 since all versions of ansible 9 have a dependency on ~=2.16.X.
cisagov · Nov 8, 2024 · 26a8baf · 26a8baf
1 parent 1845fd7
commit 26a8baf
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/requirements.txt b/requirements.txt
@@ -8,20 +8,27 @@
 # as using the dnf package manager, and version 8 is currently the
 # oldest supported version.
 #
-# We have tested against version 9.  We want to avoid automatically
+# Version 10 is required because the pip-audit pre-commit hook
+# identifies a vulnerability in ansible-core 2.16.13, but all versions
+# of ansible 9 have a dependency on ~=2.16.X.
+#
+# We have tested against version 10.  We want to avoid automatically
 # jumping to another major version without testing, since there are
 # often breaking changes across major versions.  This is the reason
 # for the upper bound.
-ansible>=8,<10
+ansible>=10,<11
 # ansible-core 2.16.3 through 2.16.6 suffer from the bug discussed in
 # ansible/ansible#82702, which breaks any symlinked files in vars,
 # tasks, etc. for any Ansible role installed via ansible-galaxy.
 # Hence we never want to install those versions.
 #
+# Note that the pip-audit pre-commit hook identifies a vulnerability
+# in ansible-core 2.16.13.
+#
 # Note that any changes made to this dependency must also be made in
 # requirements-test.txt in cisagov/skeleton-ansible-role and
 # .pre-commit-config.yaml in cisagov/skeleton-generic.
-ansible-core>=2.16.7
+ansible-core>2.16.13
 boto3
 docopt
 semver