Dependency Version Bumps for Security and Maintenance#177
Open
ksylvan wants to merge 22 commits intoevil-mad:masterfrom
Open
Dependency Version Bumps for Security and Maintenance#177ksylvan wants to merge 22 commits intoevil-mad:masterfrom
ksylvan wants to merge 22 commits intoevil-mad:masterfrom
Conversation
Bumps [pyinstaller](https://github.com/pyinstaller/pyinstaller) from 5.13.0 to 5.13.1. - [Release notes](https://github.com/pyinstaller/pyinstaller/releases) - [Changelog](https://github.com/pyinstaller/pyinstaller/blob/develop/doc/CHANGES.rst) - [Commits](pyinstaller/pyinstaller@v5.13.0...v5.13.1) --- updated-dependencies: - dependency-name: pyinstaller dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [idna](https://github.com/kjd/idna) from 3.3 to 3.7. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](kjd/idna@v3.3...v3.7) --- updated-dependencies: - dependency-name: idna dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [idna](https://github.com/kjd/idna) from 2.8 to 3.7. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](kjd/idna@v2.8...v3.7) --- updated-dependencies: - dependency-name: idna dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [tqdm](https://github.com/tqdm/tqdm) from 4.64.0 to 4.66.3. - [Release notes](https://github.com/tqdm/tqdm/releases) - [Commits](tqdm/tqdm@v4.64.0...v4.66.3) --- updated-dependencies: - dependency-name: tqdm dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [tqdm](https://github.com/tqdm/tqdm) from 4.64.1 to 4.66.3. - [Release notes](https://github.com/tqdm/tqdm/releases) - [Commits](tqdm/tqdm@v4.64.1...v4.66.3) --- updated-dependencies: - dependency-name: tqdm dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [certifi](https://github.com/certifi/python-certifi) from 2023.7.22 to 2024.7.4. - [Commits](certifi/python-certifi@2023.07.22...2024.07.04) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
…na-3.7 Bump idna from 3.3 to 3.7 in /cli/requirements
…lic_build_materials/pyinstaller-5.13.1 Bump pyinstaller from 5.13.0 to 5.13.1 in /inkscape driver/public_build_materials
…lic_build_materials/idna-3.7 Bump idna from 2.8 to 3.7 in /inkscape driver/public_build_materials
…dm-4.66.3 Bump tqdm from 4.64.0 to 4.66.3 in /cli/requirements
…lic_build_materials/tqdm-4.66.3 Bump tqdm from 4.64.1 to 4.66.3 in /inkscape driver/public_build_materials
…ertifi-2024.7.4 Bump certifi from 2023.7.22 to 2024.7.4 in /cli/requirements
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.18 to 2.6.3. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@1.26.18...2.6.3) --- updated-dependencies: - dependency-name: urllib3 dependency-version: 2.6.3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [pyinstaller](https://github.com/pyinstaller/pyinstaller) from 5.13.1 to 6.15.0. - [Release notes](https://github.com/pyinstaller/pyinstaller/releases) - [Changelog](https://github.com/pyinstaller/pyinstaller/blob/develop/doc/CHANGES.rst) - [Commits](pyinstaller/pyinstaller@v5.13.1...v6.15.0) --- updated-dependencies: - dependency-name: pyinstaller dependency-version: 6.15.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [requests](https://github.com/psf/requests) from 2.31.0 to 2.32.4. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.31.0...v2.32.4) --- updated-dependencies: - dependency-name: requests dependency-version: 2.32.4 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
…blic_build_materials/pyinstaller-6.15.0 Bump pyinstaller from 5.13.1 to 6.15.0 in /inkscape driver/public_build_materials
…rllib3-2.6.3 Bump urllib3 from 1.26.18 to 2.6.3 in /cli/requirements
…blic_build_materials/requests-2.32.4 Bump requests from 2.31.0 to 2.32.4 in /inkscape driver/public_build_materials
Bumps [requests](https://github.com/psf/requests) from 2.31.0 to 2.32.4. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.31.0...v2.32.4) --- updated-dependencies: - dependency-name: requests dependency-version: 2.32.4 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [certifi](https://github.com/certifi/python-certifi) from 2023.7.22 to 2024.7.4. - [Commits](certifi/python-certifi@2023.07.22...2024.07.04) --- updated-dependencies: - dependency-name: certifi dependency-version: 2024.7.4 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
…equests-2.32.4 Bump requests from 2.31.0 to 2.32.4 in /cli/requirements
…blic_build_materials/certifi-2024.7.4 Bump certifi from 2023.7.22 to 2024.7.4 in /inkscape driver/public_build_materials
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Dependency Version Bumps for Security and Maintenance
Summary
This PR updates several Python package dependencies across two requirements files to their newer versions. The changes primarily address security vulnerabilities in outdated packages and bring dependencies closer to current stable releases.
Files Changed
1.
cli/requirements/requirements.txtUpdates 5 dependencies used by the CLI tool:
certifiidnarequeststqdmurllib32.
inkscape driver/public_build_materials/requirements.txtUpdates 5 dependencies used by the Inkscape driver build:
certifiidnapyinstallerrequeststqdmCode Changes
The most significant version jumps are:
urllib32.x is a major version upgrade in the CLI requirements. This version drops support for Python < 3.7, removes deprecated APIs, and changes some default behaviors (e.g., default TLS settings). This is only applied in the CLI requirements, not in the Inkscape driver build.pyinstaller6.x is also a major version upgrade for the Inkscape driver build tooling. PyInstaller 6 introduced changes to the build process, bootloader behavior, and hook system.Reason for Changes
Security patches:
certifi,requests,urllib3, andidnaall had known CVEs in the previously pinned versions:certifi< 2024.7.4 — outdated CA certificate bundlerequests< 2.32.0 — CVE-2024-35195 (session credential leak on redirects)idna< 3.7 — CVE-2024-3651 (DoS via resource consumption)urllib31.x — multiple advisories around TLS and header injectionMaintenance:
tqdmandpyinstallerbumps bring bug fixes, performance improvements, and compatibility with newer Python versions.Impact of Changes
urllib32.x, which has a stricter TLS posture by default. This could surface issues if the AxiDraw communicates with endpoints using outdated TLS configurations or self-signed certificates.pyinstaller6.x may produce different build artifacts. The bootloader and hook system changes could affect packaging behavior, binary size, or runtime behavior of the bundled application.Test Plan
CLI: Install dependencies from
cli/requirements/requirements.txtinto a clean virtual environment and verify:urllib32.x.Inkscape Driver Build: Install dependencies from
inkscape driver/public_build_materials/requirements.txtand verify:pyinstaller6.x successfully builds the Inkscape driver bundle.Cross-platform verification: If builds target multiple OS platforms (Windows, macOS, Linux), test on each.
Additional Notes
urllib3version was not bumped in the Inkscape driver requirements file. This asymmetry should be tracked — it may indicate that the Inkscape driver environment is not yet ready forurllib32.x, or it may simply have been an oversight. A follow-up to align these would be prudent.pyinstaller-hooks-contrib==2023.6was not updated alongside thepyinstaller6.x bump. It is worth verifying that this older hooks package is compatible with PyInstaller 6.x; newer hooks may be needed for correct bundling behavior.pip-auditorsafetycheck to CI to catch vulnerable dependency versions automatically in the future.k