Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump django from 4.2.11 to 4.2.14 in /engine #4656

Closed
wants to merge 2 commits into from
Closed

Bump django from 4.2.11 to 4.2.14 in /engine #4656

wants to merge 2 commits into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jul 10, 2024
edited
Loading

Bumps django from 4.2.11 to 4.2.14.

Commits
  • 98cf264 [4.2.x] Bumped version for 4.2.14 release.
  • 17358fb [4.2.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in get_supported_lang...
  • 2b00edc [4.2.x] Fixed CVE-2024-39330 -- Added extra file name validation in Storage's...
  • 156d318 [4.2.x] Fixed CVE-2024-39329 -- Standarized timing of verify_password() when ...
  • 79f3687 [4.2.x] Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and urlizet...
  • 446cdab [4.2.x] Added stub release notes for 4.2.14.
  • d26c883 [4.2.x]Post-release version bump.
  • 3bf46e2 [4.2.x] Bumped version for 4.2.13 release.
  • b46b94e [4.2.x] Added release notes for 4.2.13.
  • 1536833 [4.2.x] Post-release version bump.
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump django from 4.2.11 to 4.2.14 in /engine
c7fff40 
Bumps [django](https://github.com/django/django) from 4.2.11 to 4.2.14.
- [Commits](django/django@4.2.11...4.2.14)

---
updated-dependencies:
- dependency-name: django
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot requested a review from a team July 10, 2024 22:10
@dependabot dependabot bot added pr:dependencies Added to a PR that bumps dependency version(s) python Pull requests that update Python code labels Jul 10, 2024
@dependabot dependabot bot temporarily deployed to github-pages July 10, 2024 22:10 Inactive
@joeyorlando joeyorlando added pr:no public docs Added to a PR that does not require public documentation updates release:ignore PR will not be added to release notes labels Jul 24, 2024
@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Aug 7, 2024

A newer version of django exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

@joeyorlando joeyorlando mentioned this pull request Aug 9, 2024
Merged
3 tasks
github-merge-queue bot pushed a commit that referenced this pull request Aug 9, 2024
@joeyorlando
Fix missing setuptools dep (#4799)
535baf7 
# What this PR does

_tldr;_ I think we should install `setuptools` into our engine
`Dockerfile` + in our CI env because Python 3.12 no longer installs
`distutils` by default. This should unblock us from being able to merge
#4656 and #4555.

**More details**

I would like to be able to merge #4656 and #4555. _However_, in both of
these PRs `setuptools` is being removed from `requirements-dev.txt`
([here](https://github.com/grafana/oncall/pull/4555/files#diff-d8146d0816a943b0fa69a20399d7bbdb58e1c84c8b7933b2ba6dea7c10c410f5L113-L116)
and
[here](https://github.com/grafana/oncall/pull/4656/files#diff-d8146d0816a943b0fa69a20399d7bbdb58e1c84c8b7933b2ba6dea7c10c410f5L113-L116)).
This leads to things breaking because of:
```bash
File "/opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/polymorphic/__init__.py", line 9, in <module>
    import pkg_resources
ModuleNotFoundError: No module named 'pkg_resources'
```

-
https://github.com/grafana/oncall/actions/runs/9865348392/job/27242117474?pr=4555#step:5:98
-
https://github.com/grafana/oncall/actions/runs/10078898966/job/27864920455?pr=4656#step:5:100

Python 3.12 made a change to no longer pre-install `distutils`
([relevant release
notes](https://docs.python.org/3/whatsnew/3.12.html#:~:text=The%20third%2Dparty%20Setuptools%20package%20continues%20to%20provide%20distutils%2C%20if%20you%20still%20require%20it%20in%20Python%203.12%20and%20beyond)):
> [PEP 632](https://peps.python.org/pep-0632/): Remove the distutils
package. See [the migration
guide](https://peps.python.org/pep-0632/#migration-advice) for advice
replacing the APIs it provided. The third-party
[Setuptools](https://setuptools.pypa.io/en/latest/deprecated/distutils-legacy.html)
package continues to provide distutils, if you still require it in
Python 3.12 and beyond.
>
> [gh-95299](python/cpython#95299): Do not
pre-install setuptools in virtual environments created with
[venv](https://docs.python.org/3/library/venv.html#module-venv). This
means that distutils, setuptools, pkg_resources, and easy_install will
no longer available by default; to access these run pip install
setuptools in the
[activated](https://docs.python.org/3/library/venv.html#venv-explanation)
virtual environment.

Additionally, `setuptools` is in `pip-tools` `UNSAFE_PACKAGES` list
([related GitHub
issue](pypa/pipenv#1417 (comment))),
hence why I think Dependabot is removing it in #4656 and #4555.

## Checklist

- [x] Unit, integration, and e2e (if applicable) tests updated
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] Added the relevant release notes label (see labels prefixed w/
`release:`). These labels dictate how your PR will
    show up in the autogenerated release notes.
@joeyorlando
Copy link
Contributor

@dependabot recreate

@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Aug 9, 2024

Superseded by #4801.

@dependabot dependabot bot closed this Aug 9, 2024
@dependabot dependabot bot deleted the dependabot/pip/engine/django-4.2.14 branch August 9, 2024 20:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
pr:dependencies Added to a PR that bumps dependency version(s) pr:no public docs Added to a PR that does not require public documentation updates python Pull requests that update Python code release:ignore PR will not be added to release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@joeyorlando