Apply latest security patches (RedHatProductSecurity#117)

This PR applies the latest security patches and introduces a new Makefile entrypoint for easily upgrading packages.
jobselko · Jan 13, 2023 · bb11a16 · bb11a16
2 parents b4b2c07 + 10a4c5a
commit bb11a16
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 9 deletions.
diff --git a/devel-requirements.txt b/devel-requirements.txt
@@ -754,9 +754,9 @@ websocket-client==1.2.1 \
     --hash=sha256:0133d2f784858e59959ce82ddac316634229da55b498aac311f1620567a710ec \
     --hash=sha256:8dfb715d8a992f5712fff8c843adae94e22b22a99b2c5e6b0ec4a1a981cc4e0d
     # via kubernetes
-wheel==0.37.0 \
-    --hash=sha256:21014b2bd93c6d0034b6ba5d35e4eb284340e09d63c59aef6fc14b0f346146fd \
-    --hash=sha256:e2ef7239991699e3355d54f8e968a21bb940a1dbf34a4d226741e64462516fad
+wheel==0.38.1 \
+    --hash=sha256:7a95f9a8dc0924ef318bd55b616112c70903192f524d120acc614f59547a9e1f \
+    --hash=sha256:ea041edf63f4ccba53ad6e035427997b3bb10ee88a4cd014ae82aeb9eea77bb9
     # via pip-tools
 wrapt==1.13.3 \
     --hash=sha256:086218a72ec7d986a3eddb7707c8c4526d677c7b35e355875a0fe2918b059179 \
@@ -893,9 +893,9 @@ pip==21.3.1 \
     --hash=sha256:deaf32dcd9ab821e359cd8330786bcd077604b5c5730c0b096eda46f95c24a2d \
     --hash=sha256:fd11ba3d0fdb4c07fbc5ecbba0b1b719809420f25038f8ee3cd913d3faa3033a
     # via pip-tools
-setuptools==62.1.0 \
-    --hash=sha256:26ead7d1f93efc0f8c804d9fafafbe4a44b179580a7105754b245155f9af05a8 \
-    --hash=sha256:47c7b0c0f8fc10eec4cf1e71c6fdadf8decaa74ffa087e68cd1c20db7ad6a592
+setuptools==65.5.1 \
+    --hash=sha256:d0b9a8433464d5800cbe05094acf5c6d52a91bfac9b52bcfc4d41382be5d5d31 \
+    --hash=sha256:e197a19aa8ec9722928f2206f8de752def0e4c9fc6953527360d1c36d94ddb2f
     # via
     #   -c requirements.txt
     #   google-auth

diff --git a/docs/developer/DEVELOP.md b/docs/developer/DEVELOP.md
@@ -460,6 +460,12 @@ $ source venv/bin/activate
 $ pip-compile --generate-hashes --allow-unsafe --upgrade-package django --upgrade-package requests==2.0.0
 ```
 
+Instead of running this command manually, you can use the following make entrypoint:
+
+```bash
+$ make upgrade-dep package=requests==2.0.0 reqfile=requirements.in
+```
+
 To install the dependencies with `pip`, you simply pass the requirements file(s) to the `-r` option and all the requirements in the file will be installed, even if the file was generated by `pip-compile`!
 
 With `pip-tools`, the command for installing dependencies is `pip-sync requirements.txt` (or any other file generated by `pip-compile`), however `pip-sync` will not only install the requirements, but it will also uninstall any packages or versions that do **not** match the one defined in the requirements file.

diff --git a/mk/setup.mk b/mk/setup.mk
@@ -71,6 +71,11 @@ sync-deps: check-venv-active
 	$(ps) requirements.txt devel-requirements.txt $$([ -f local-requirements.txt ] && echo 'local-requirements.txt')
 
 
+.PHONY : upgrade-dep
+upgrade-dep: check-venv-active
+	@echo ">upgrading specified packages"
+	$(pc) --allow-unsafe --generate-hashes --no-emit-index-url -P $(package) $(reqfile)
+
 #***********************************
 ### Update installed python packages based on requirements.txt both in local venv and in all containers
 #***********************************

diff --git a/requirements.txt b/requirements.txt
@@ -793,9 +793,9 @@ zope.interface==5.4.0 \
     # via gevent
 
 # The following packages are considered to be unsafe in a requirements file:
-setuptools==62.1.0 \
-    --hash=sha256:26ead7d1f93efc0f8c804d9fafafbe4a44b179580a7105754b245155f9af05a8 \
-    --hash=sha256:47c7b0c0f8fc10eec4cf1e71c6fdadf8decaa74ffa087e68cd1c20db7ad6a592
+setuptools==65.5.1 \
+    --hash=sha256:d0b9a8433464d5800cbe05094acf5c6d52a91bfac9b52bcfc4d41382be5d5d31 \
+    --hash=sha256:e197a19aa8ec9722928f2206f8de752def0e4c9fc6953527360d1c36d94ddb2f
     # via
     #   celery
     #   gevent