fix(security): upgrade all dependencies, incl. python-jose v3.3 → v3.4

done: - add `defusedxml>=0.8.0rc2` to requirements.in so it doesn't get downgraded to 0.7.1 as 0.8.0rc2 is a pre-release - update dependencies to latest - docker compose up --build - docker exec -it kukkuu-backend bash - pip install pip-tools - pip-compile requirements.in --upgrade - pip-compile requirements-dev.in --upgrade - pip-compile requirements-prod.in --upgrade - update .pre-commit-config.yaml versions to latest - update update requirements-not-from-pypi.txt versions to latest - `ruff format` - `ruff check --fix` refs KK-1421
City-of-Helsinki · Feb 20, 2025 · 6effbf6 · 6effbf6
1 parent b676ce5
commit 6effbf6
Show file tree

Hide file tree

Showing 6 changed files with 41 additions and 38 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -12,15 +12,15 @@ repos:
     # the ruff's version line, it is used by test_pre_commit_ruff_version.py
     # test case in order not to have to add a YAML library dependency just
     # to test this version:
-    rev: v0.8.4 # ruff-pre-commit version
+    rev: v0.9.6 # ruff-pre-commit version
     hooks:
       # Run the linter
       - id: ruff
         args: [--fix]
       # Run the formatter
       - id: ruff-format
   - repo: https://github.com/compilerla/conventional-pre-commit
-    rev: v3.4.0
+    rev: v4.0.0
     hooks:
       - id: conventional-pre-commit
         stages: [commit-msg]

diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -6,19 +6,19 @@
 #
 asttokens==3.0.0
     # via stack-data
-certifi==2024.12.14
+certifi==2025.1.31
     # via
     #   -c /app/requirements.txt
     #   requests
 charset-normalizer==3.4.1
     # via
     #   -c /app/requirements.txt
     #   requests
-coverage[toml]==7.6.10
+coverage[toml]==7.6.12
     # via pytest-cov
 decorator==5.1.1
     # via ipython
-executing==2.1.0
+executing==2.2.0
     # via stack-data
 fastdiff==0.3.0
     # via snapshottest
@@ -30,7 +30,7 @@ idna==3.10
     #   requests
 iniconfig==2.0.0
     # via pytest
-ipython==8.31.0
+ipython==8.32.0
     # via -r requirements-dev.in
 jedi==0.19.2
     # via ipython
@@ -46,13 +46,13 @@ pexpect==4.9.0
     # via ipython
 pluggy==1.5.0
     # via pytest
-prompt-toolkit==3.0.48
+prompt-toolkit==3.0.50
     # via ipython
 ptyprocess==0.7.0
     # via pexpect
 pure-eval==0.2.3
     # via stack-data
-pygments==2.18.0
+pygments==2.19.1
     # via ipython
 pytest==8.3.4
     # via
@@ -61,7 +61,7 @@ pytest==8.3.4
     #   pytest-django
 pytest-cov==6.0.0
     # via -r requirements-dev.in
-pytest-django==4.9.0
+pytest-django==4.10.0
     # via -r requirements-dev.in
 python-dateutil==2.9.0.post0
     # via
@@ -78,9 +78,9 @@ requests==2.32.3
     #   responses
 requests-mock==1.12.1
     # via -r requirements-dev.in
-responses==0.25.3
+responses==0.25.6
     # via -r requirements-dev.in
-ruff==0.8.4
+ruff==0.9.6
     # via -r requirements-dev.in
 six==1.17.0
     # via

diff --git a/requirements-not-from-pypi.txt b/requirements-not-from-pypi.txt
@@ -7,4 +7,4 @@
 # Because requirements-dev.in includes requirements.txt as a constraint
 # using "-c requirements.txt" an editable package can not be put into it
 # or its source file requirements.in.
--e git+https://github.com/City-of-Helsinki/django-auditlog-extra.git@191cb992b7bab0f8c334628f23f6f12b24e92773#egg=django-auditlog-extra
+-e git+https://github.com/City-of-Helsinki/django-auditlog-extra.git@bc5202cc4cd1bb6125874a624f1b4c8796ebc304#egg=django-auditlog-extra
diff --git a/requirements.in b/requirements.in
@@ -1,3 +1,4 @@
+defusedxml>=0.8.0rc2  # Allow pre-release version, please remove when stable up-to-date
 django-auditlog
 django-cleanup
 django-cors-headers

diff --git a/requirements.txt b/requirements.txt
@@ -8,21 +8,21 @@ asgiref==3.8.1
     # via
     #   django
     #   django-cors-headers
-attrs==24.3.0
+attrs==25.1.0
     # via
     #   jsonschema
     #   referencing
-authlib==1.4.0
+authlib==1.4.1
     # via drf-oidc-auth
 azure-core==1.32.0
     # via
     #   azure-storage-blob
     #   django-storages
-azure-storage-blob==12.24.0
+azure-storage-blob==12.24.1
     # via django-storages
-cachetools==5.5.0
+cachetools==5.5.1
     # via django-helusers
-certifi==2024.12.14
+certifi==2025.1.31
     # via
     #   requests
     #   sentry-sdk
@@ -38,11 +38,12 @@ cryptography==44.0.1
     #   social-auth-core
 defusedxml==0.8.0rc2
     # via
+    #   -r requirements.in
     #   python3-openid
     #   social-auth-core
 deprecation==2.1.0
     # via django-helusers
-django==4.2.18
+django==4.2.19
     # via
     #   -r requirements.in
     #   django-anymail
@@ -70,13 +71,13 @@ django-auditlog==3.0.0
     # via -r requirements.in
 django-cleanup==9.0.0
     # via -r requirements.in
-django-cors-headers==4.6.0
+django-cors-headers==4.7.0
     # via -r requirements.in
 django-csp==3.8
     # via -r requirements.in
-django-environ==0.11.2
+django-environ==0.12.0
     # via -r requirements.in
-django-filter==24.3
+django-filter==25.1
     # via -r requirements.in
 django-graphql-jwt==0.4.0
     # via -r requirements.in
@@ -96,7 +97,7 @@ django-parler==2.3
     # via
     #   -r requirements.in
     #   django-ilmoitin
-django-storages[azure]==1.14.4
+django-storages[azure]==1.14.5
     # via -r requirements.in
 djangorestframework==3.15.2
     # via
@@ -110,9 +111,9 @@ drf-spectacular==0.28.0
     # via -r requirements.in
 ecdsa==0.19.0
     # via python-jose
-factory-boy==3.3.1
+factory-boy==3.3.3
     # via -r requirements.in
-faker==33.1.0
+faker==36.1.1
     # via factory-boy
 graphene==3.4.3
     # via
@@ -124,7 +125,7 @@ graphene-django==3.2.2
     #   django-graphql-jwt
 graphene-file-upload==1.3.0
     # via -r requirements.in
-graphql-core==3.2.5
+graphql-core==3.2.6
     # via
     #   graphene
     #   graphene-django
@@ -161,13 +162,13 @@ oauthlib==3.2.2
     #   social-auth-core
 packaging==24.2
     # via deprecation
-pillow==11.0.0
+pillow==11.1.0
     # via -r requirements.in
 promise==2.3
     # via graphene-django
 psycopg2==2.9.10
     # via -r requirements.in
-pyasn1==0.6.1
+pyasn1==0.4.8
     # via
     #   python-jose
     #   rsa
@@ -182,19 +183,18 @@ pyjwt==2.10.1
 python-dateutil==2.9.0.post0
     # via
     #   django-auditlog
-    #   faker
     #   graphene
-python-jose==3.3.0
+python-jose==3.4.0
     # via django-helusers
 python3-openid==3.2.0
     # via social-auth-core
-pytz==2024.2
+pytz==2025.1
     # via -r requirements.in
 pyyaml==6.0.2
     # via drf-spectacular
 qrcode==8.0
     # via -r requirements.in
-referencing==0.35.1
+referencing==0.36.2
     # via
     #   jsonschema
     #   jsonschema-specifications
@@ -215,7 +215,7 @@ rpds-py==0.22.3
     #   referencing
 rsa==4.9
     # via python-jose
-sentry-sdk==2.19.2
+sentry-sdk==2.22.0
     # via -r requirements.in
 six==1.17.0
     # via
@@ -224,9 +224,9 @@ six==1.17.0
     #   graphene-file-upload
     #   promise
     #   python-dateutil
-social-auth-app-django==5.4.2
+social-auth-app-django==5.4.3
     # via -r requirements.in
-social-auth-core==4.5.4
+social-auth-core==4.5.6
     # via social-auth-app-django
 sqlparse==0.5.3
     # via django
@@ -236,8 +236,10 @@ typing-extensions==4.12.2
     # via
     #   azure-core
     #   azure-storage-blob
-    #   faker
     #   graphene
+    #   referencing
+tzdata==2025.1
+    # via faker
 uritemplate==4.1.1
     # via drf-spectacular
 urllib3==2.3.0

diff --git a/subscriptions/tests/utils.py b/subscriptions/tests/utils.py
@@ -6,6 +6,6 @@ def assert_child_has_subscriptions(child, subscriptions):
         subscriptions = {subscriptions} if subscriptions else {}
     subscription_ids = {s.pk for s in child.free_spot_notification_subscriptions.all()}
     expected_ids = {s.pk for s in subscriptions}
-    assert (
-        subscription_ids == expected_ids
-    ), f"Subscriptions IDs {subscription_ids} do not match expected {expected_ids}"
+    assert subscription_ids == expected_ids, (
+        f"Subscriptions IDs {subscription_ids} do not match expected {expected_ids}"
+    )