From fd978cac4736a93f83400147c625d6dd080c89c3 Mon Sep 17 00:00:00 2001 From: Andreas Maier Date: Sun, 21 Jul 2024 16:46:22 +0200 Subject: [PATCH] Addressed safety issues up to 2024-07-21; Updated dev versions Signed-off-by: Andreas Maier --- .safety-policy.yml | 4 +++ Makefile | 38 ++++++++++++++++++++- dev-requirements.txt | 59 +++++++++++++++----------------- docs/changes.rst | 2 +- minimum-constraints.txt | 75 ++++++++++++++++++++++------------------- test-requirements.txt | 2 +- 6 files changed, 111 insertions(+), 69 deletions(-) diff --git a/.safety-policy.yml b/.safety-policy.yml index 672c922..afd68e1 100644 --- a/.safety-policy.yml +++ b/.safety-policy.yml @@ -56,6 +56,10 @@ security: reason: Fixed tqdm version 4.66.3 requires Python>=3.7 and is used there 71064: reason: Fixed requests version 2.32.2 requires Python>=3.8 and is used there + 71591: + reason: Fixed Jinja2 version 3.1.4 requires Python>=3.7 and is used there + 71636: + reason: Fixed authlib version 1.3.1 requires Python>=3.8 and is used there # Continue with exit code 0 when vulnerabilities are found. continue-on-vulnerability-error: False diff --git a/Makefile b/Makefile index e4186b7..a6d235e 100644 --- a/Makefile +++ b/Makefile @@ -248,7 +248,15 @@ dist_included_files := \ done_dir := done # Packages whose dependencies are checked using pip-missing-reqs -check_reqs_packages := pytest coverage coveralls flake8 pylint safety sphinx twine +ifeq ($(python_mn_version),3.6) + check_reqs_packages := pytest coverage coveralls flake8 pylint twine +else +ifeq ($(python_mn_version),3.7) + check_reqs_packages := pytest coverage coveralls flake8 pylint twine safety +else + check_reqs_packages := pytest coverage coveralls flake8 pylint twine safety sphinx +endif +endif .PHONY: help help: @@ -480,14 +488,23 @@ upload: _check_version $(dist_files) html: $(done_dir)/develop_reqs_$(pymn)_$(PACKAGE_LEVEL).done $(doc_build_dir)/html/docs/index.html @echo "Makefile: Target $@ done." +# Boolean variable indicating that Sphinx should be run +# We run Sphinx only on Python>=3.8 because lower Python versions require too old Sphinx versions +run_sphinx := $(shell $(PYTHON_CMD) -c "import sys; py=sys.version_info[0:2]; sys.stdout.write('true' if py>=(3,8) else 'false')") + $(doc_build_dir)/html/docs/index.html: Makefile $(doc_dependent_files) +ifeq ($(run_sphinx),true) @echo "Makefile: Creating the documentation as HTML pages" -$(call RM_FUNC,$@) $(doc_cmd) -b html $(doc_opts) $(doc_build_dir)/html @echo "Makefile: Done creating the documentation as HTML pages; top level file: $@" +else + @echo "Skipping Sphinx to create the documentation as HTML pages on Python version $(python_version)" +endif .PHONY: pdf pdf: $(done_dir)/develop_reqs_$(pymn)_$(PACKAGE_LEVEL).done Makefile $(doc_dependent_files) +ifeq ($(run_sphinx),true) @echo "Makefile: Creating the documentation as PDF file" -$(call RM_FUNC,$@) $(doc_cmd) -b latex $(doc_opts) $(doc_build_dir)/pdf @@ -495,37 +512,56 @@ pdf: $(done_dir)/develop_reqs_$(pymn)_$(PACKAGE_LEVEL).done Makefile $(doc_depen $(MAKE) -C $(doc_build_dir)/pdf all-pdf @echo "Makefile: Done creating the documentation as PDF file in: $(doc_build_dir)/pdf/" @echo "Makefile: Target $@ done." +else + @echo "Skipping Sphinx to create the documentation as PDF file on Python version $(python_version)" +endif .PHONY: man man: $(done_dir)/develop_reqs_$(pymn)_$(PACKAGE_LEVEL).done Makefile $(doc_dependent_files) +ifeq ($(run_sphinx),true) @echo "Makefile: Creating the documentation as man pages" -$(call RM_FUNC,$@) $(doc_cmd) -b man $(doc_opts) $(doc_build_dir)/man @echo "Makefile: Done creating the documentation as man pages in: $(doc_build_dir)/man/" @echo "Makefile: Target $@ done." +else + @echo "Skipping Sphinx to create the documentation as man pages on Python version $(python_version)" +endif .PHONY: docchanges docchanges: $(done_dir)/develop_reqs_$(pymn)_$(PACKAGE_LEVEL).done +ifeq ($(run_sphinx),true) @echo "Makefile: Creating the doc changes overview file" $(doc_cmd) -b changes $(doc_opts) $(doc_build_dir)/changes @echo @echo "Makefile: Done creating the doc changes overview file in: $(doc_build_dir)/changes/" @echo "Makefile: Target $@ done." +else + @echo "Skipping Sphinx to create the doc changes overview file on Python version $(python_version)" +endif .PHONY: doclinkcheck doclinkcheck: $(done_dir)/develop_reqs_$(pymn)_$(PACKAGE_LEVEL).done +ifeq ($(run_sphinx),true) @echo "Makefile: Creating the doc link errors file" $(doc_cmd) -b linkcheck $(doc_opts) $(doc_build_dir)/linkcheck @echo @echo "Makefile: Done creating the doc link errors file: $(doc_build_dir)/linkcheck/output.txt" @echo "Makefile: Target $@ done." +else + @echo "Skipping Sphinx to create the doc link errors file on Python version $(python_version)" +endif .PHONY: doccoverage doccoverage: $(done_dir)/develop_reqs_$(pymn)_$(PACKAGE_LEVEL).done +ifeq ($(run_sphinx),true) @echo "Makefile: Creating the doc coverage results file" $(doc_cmd) -b coverage $(doc_opts) $(doc_build_dir)/coverage @echo "Makefile: Done creating the doc coverage results file: $(doc_build_dir)/coverage/python.txt" @echo "Makefile: Target $@ done." +else + @echo "Skipping Sphinx to create the doc coverage results file on Python version $(python_version)" +endif .PHONY: authors authors: _check_version original_authors.md diff --git a/dev-requirements.txt b/dev-requirements.txt index 0b57e9c..d3b0c04 100644 --- a/dev-requirements.txt +++ b/dev-requirements.txt @@ -36,14 +36,11 @@ pytest-cov>=2.7.0 coveralls>=3.3.0 # Safety CI by pyup.io -# safety 2.3.5 (only) requires packaging>=21.0,<22.0 and causes pip backtracking of tox -safety>=2.2.0,!=2.3.5 -# safety 2.2.0 requires dparse>=0.6.2 -dparse>=0.6.2 # Click is used by safety -# safety 2.2.0 requires Click >=8.0.2 -Click>=8.0.2 +# Safety is run only on Python >=3.7 +# Safety 3.0.0 requires exact versions of authlib==1.2.0 and jwt==1.3.1. +safety>=3.0.1; python_version >= '3.7' # PyYAML is pulled in by dparse # PyYAML 5.3.1 addressed issue 38100 reported by safety @@ -57,28 +54,28 @@ PyYAML>=5.3.1 tox>=3.21.0 # Sphinx (no imports, invoked via sphinx-build script): -# Sphinx 4.0.0 breaks autodocsumm and needs to be excluded -# Sphinx 4.0.0,4.0.1 (only) pin Jinja2 to <3.0 -# Sphinx <4.2.0 fails on Python 3.10 because it tries to import non-existing -# types.Union. This also drives docutils>=0.14. -# Sphinx 4.4.0 started requiring importlib-metadata>=4.4 -# Sphinx 6.0.0 dropped support for Python <=3.7 -# Sphinx 7.2.0 dropped support for Python 3.8 -Sphinx>=4.2.0,<4.4.0; python_version <= '3.7' -Sphinx>=4.2.0; python_version >= '3.8' -docutils>=0.16 -sphinx-git>=10.1.1 -# GitPython 3.1.24 dropped support for Python 3.6 -GitPython>=2.1.1; python_version == '3.6' -GitPython>=3.1.41; python_version >= '3.7' -sphinxcontrib-fulltoc>=1.2.0 -sphinxcontrib-websupport>=1.1.2 -Pygments>=2.7.4; python_version == '3.6' -Pygments>=2.15.0; python_version >= '3.7' -# sphinx-rtd-theme 2.0.0 requires Sphinx>=5,<8 -sphinx-rtd-theme>=1.0.0 -# Babel 2.7.0 fixes an ImportError for MutableMapping which starts failing on Python 3.10 -Babel>=2.9.1 +# Sphinx is used only on Python>=3.8 +# Sphinx 6.0.0 started requiring Python>=3.8 +# Sphinx 7.2.0 started requiring Python>=3.9 +Sphinx>=7.1.0; python_version == '3.8' +Sphinx>=7.2.0; python_version >= '3.9' +# Sphinx 7.1.0 pins docutils to <0.21 +docutils>=0.18.1,<0.21; python_version == '3.8' +sphinx-git>=10.1.1; python_version >= '3.8' +GitPython>=3.1.41; python_version >= '3.8' +Pygments>=2.15.0; python_version >= '3.8' +sphinx-rtd-theme>=2.0.0; python_version >= '3.8' +sphinxcontrib-applehelp>=1.0.4; python_version >= '3.8' +sphinxcontrib-devhelp>=1.0.2; python_version >= '3.8' +sphinxcontrib-htmlhelp>=2.0.1; python_version >= '3.8' +sphinxcontrib-jquery>=4.1; python_version >= '3.8' +sphinxcontrib-jsmath>=1.0.1; python_version >= '3.8' +sphinxcontrib-qthelp>=1.0.3; python_version >= '3.8' +sphinxcontrib-serializinghtml>=1.1.5; python_version == '3.8' +sphinxcontrib-serializinghtml>=1.1.9; python_version >= '3.9' +sphinxcontrib-websupport>=1.2.4; python_version >= '3.8' +autodocsumm>=0.2.12; python_version >= '3.8' +Babel>=2.9.1; python_version >= '3.8' # PyLint (no imports, invoked via pylint script) # Pylint requires astroid @@ -93,8 +90,8 @@ pylint>=3.0.3; python_version >= '3.12' astroid>=2.11.0; python_version == '3.6' astroid>=2.12.4; python_version >= '3.7' and python_version <= '3.11' astroid>=3.0.2; python_version >= '3.12' -# astroid 2.13.0 uses typing-extensions on Python<3.11 but misses to require it on 3.10. See https://github.com/PyCQA/astroid/issues/1942 -typing-extensions>=3.10; python_version <= '3.10' +# astroid 2.13.0 uses typing-extensions on Python<=3.10 but misses to require it. See https://github.com/PyCQA/astroid/issues/1942 +typing-extensions>=3.10; python_version >= '3.6' and python_version <= '3.10' # typed-ast is used by astroid on py34..py37 typed-ast>=1.4.0,<1.5.0; python_version <= '3.7' and implementation_name=='cpython' # lazy-object-proxy is used by astroid @@ -148,7 +145,7 @@ twine>=3.0.0 # readme-renderer 23.0 has made cmarkgfm part of extras (it fails on Cygwin) readme-renderer>=23.0 -# packaging>=21.0 +# packaging>=22.0 # Package dependency management tools pipdeptree>=2.2.0 diff --git a/docs/changes.rst b/docs/changes.rst index f165198..efc3ead 100644 --- a/docs/changes.rst +++ b/docs/changes.rst @@ -16,7 +16,7 @@ Released: not yet **Bug fixes:** -* Dev: Fixed safety issues up to 2024-07-09. +* Fixed safety issues up to 2024-07-21. **Enhancements:** diff --git a/minimum-constraints.txt b/minimum-constraints.txt index 926c876..ef65f13 100644 --- a/minimum-constraints.txt +++ b/minimum-constraints.txt @@ -50,7 +50,7 @@ virtualenv==20.23.0; python_version >= '3.8' # Indirect dependencies for test (must be consistent with test-requirements.txt, if present) # packaging (used by pytest, safety) -packaging==21.3 +packaging==22.0 # pluggy (used by pytest, tox) pluggy==0.13.1 @@ -74,18 +74,19 @@ pytest-cov==2.7.0 coveralls==3.3.0 # Safety CI by pyup.io -safety==2.2.0 -dparse==0.6.2 -typer==0.9.0; python_version == '3.6' +# Safety is run only on Python >=3.7 +safety==3.0.1; python_version >= '3.7' +safety-schemas==0.0.1; python_version >= '3.7' +# TODO: Change to dparse 0.6.4 once released +dparse==0.6.4b0; python_version >= '3.7' +ruamel.yaml==0.17.21; python_version >= '3.7' +Authlib==1.2.0; python_version == '3.7' +Authlib==1.3.1; python_version >= '3.8' +marshmallow==3.15.0; python_version >= '3.7' +pydantic==1.10.13; python_version >= '3.7' typer==0.12.0; python_version >= '3.7' typer-cli==0.12.0; python_version >= '3.7' typer-slim==0.12.0; python_version >= '3.7' -# safety 2.2.0 depends on ruamel.yaml>=0.17.21 -ruamel-yaml==0.17.21 -safety-schemas==0.0.1 -marshmallow==3.15.0 -# dataclasses is used by safety>=2.3.1 on (only) py36 -dataclasses==0.8; python_version == '3.6' # PyYAML is pulled in by dparse PyYAML==5.3.1 @@ -97,17 +98,25 @@ Click==8.0.2 tox==3.21.0 # Sphinx (no imports, invoked via sphinx-build script): -Sphinx==4.2.0 -docutils==0.16 -sphinx-git==10.1.1 -GitPython==2.1.1; python_version == '3.6' -GitPython==3.1.41; python_version >= '3.7' -sphinxcontrib-fulltoc==1.2.0 -sphinxcontrib-websupport==1.1.2 -Pygments==2.7.4; python_version == '3.6' -Pygments==2.15.0; python_version >= '3.7' -sphinx-rtd-theme==1.0.0 -Babel==2.9.1 +# Sphinx is used only on Python>=3.8 +Sphinx==7.1.0; python_version == '3.8' +Sphinx==7.2.0; python_version >= '3.9' +docutils==0.18.1; python_version >= '3.8' +sphinx-git==10.1.1; python_version >= '3.8' +GitPython==3.1.41; python_version >= '3.8' +Pygments==2.15.0; python_version >= '3.8' +sphinx-rtd-theme==2.0.0; python_version >= '3.8' +sphinxcontrib-applehelp==1.0.4; python_version >= '3.8' +sphinxcontrib-devhelp==1.0.2; python_version >= '3.8' +sphinxcontrib-htmlhelp==2.0.1; python_version >= '3.8' +sphinxcontrib-jquery==4.1; python_version >= '3.8' +sphinxcontrib-jsmath==1.0.1; python_version >= '3.8' +sphinxcontrib-qthelp==1.0.3; python_version >= '3.8' +sphinxcontrib-serializinghtml==1.1.5; python_version == '3.8' +sphinxcontrib-serializinghtml==1.1.9; python_version >= '3.9' +sphinxcontrib-websupport==1.2.4; python_version >= '3.8' +autodocsumm==0.2.12; python_version >= '3.8' +Babel==2.9.1; python_version >= '3.8' # PyLint (no imports, invoked via pylint script) - does not support py3: pylint==2.13.0; python_version == '3.6' @@ -116,8 +125,6 @@ pylint==3.0.3; python_version >= '3.12' astroid==2.11.0; python_version == '3.6' astroid==2.12.4; python_version >= '3.7' and python_version <= '3.11' astroid==3.0.2; python_version >= '3.12' -typing-extensions==3.10.0; python_version == '3.6' -typing-extensions==4.6.0; python_version >= '3.7' typed-ast==1.4.0; python_version <= '3.7' and implementation_name=='cpython' lazy-object-proxy==1.4.3 wrapt==1.14 @@ -165,26 +172,30 @@ pytz==2019.1 # colorama (used by tox, pytest) colorama==0.4.5 +# nocaselist 2.0 requires typing-extensions>=3.10 (on py>=3.6) +# safety 3.0 requires typing-extensions>=4.7.1 (used on py>=3.7) +typing-extensions==3.10.0; python_version == '3.6' +typing-extensions==4.7.1; python_version >= '3.7' and python_version <= '3.9' + # Other indirect dependencies (not in any requirements file): alabaster==0.7.9 appdirs==1.4.4 attrs==19.2.0 -Authlib==1.2.0 bleach==3.3.0 certifi==2023.07.22 chardet==3.0.3 distlib==0.3.7 docopt==0.6.1 filelock==3.2.0; python_version == '3.6' -filelock==3.11.0; python_version >= "3.7" +filelock==3.11.0; python_version >= '3.7' gitdb==4.0.1 # idna>3 requires using requests >=2.26.0 idna==3.7 -imagesize==0.7.1 +imagesize==1.3.0 Jinja2==3.0.0; python_version == '3.6' -Jinja2==3.1.3; python_version >= '3.7' +Jinja2==3.1.4; python_version >= '3.7' keyring==17.0.0 MarkupSafe==2.0.0 more-itertools==5.0.0 @@ -203,20 +214,14 @@ requests-toolbelt==0.8.0 rfc3986==1.3.0 rich==12.0.0 smmap==3.0.1 -snowballstemmer==1.2.1 -sphinxcontrib-applehelp==1.0.0 -sphinxcontrib-devhelp==1.0.0 -sphinxcontrib-htmlhelp==2.0.0 -sphinxcontrib-jsmath==1.0.0 -sphinxcontrib-qthelp==1.0.0 -sphinxcontrib-serializinghtml==1.1.5 +snowballstemmer==2.0.0 toml==0.10.0 # tomli 2.0.0 removed support for py36 tomli==1.1.0; python_version == '3.6' tomli==2.0.1; python_version >= '3.7' tqdm==4.14; python_version == '3.6' tqdm==4.66.3; python_version >= '3.7' -urllib3==1.26.18 +urllib3==1.26.19 wcwidth==0.1.7 webencodings==0.5.1 widgetsnbextension==1.2.6 diff --git a/test-requirements.txt b/test-requirements.txt index 986322d..45f7e55 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -28,7 +28,7 @@ virtualenv>=20.23.0; python_version >= '3.8' # Indirect dependencies with special constraints: # packaging (used by pytest, safety) -packaging>=21.3 +packaging>=22.0 # pluggy (used by pytest, tox) # Pluggy 0.12.0 has a bug causing pytest plugins to fail loading on py38