From b2e7250da9db59f6ab892db982d106a5317d666b Mon Sep 17 00:00:00 2001 From: Adrian Torres Date: Fri, 13 Jan 2023 12:01:17 +0100 Subject: [PATCH 1/2] Add Makefile entrypoint for easily upgrading packages --- docs/developer/DEVELOP.md | 6 ++++++ mk/setup.mk | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/docs/developer/DEVELOP.md b/docs/developer/DEVELOP.md index 0f6f60c6b..4f5c9d476 100644 --- a/docs/developer/DEVELOP.md +++ b/docs/developer/DEVELOP.md @@ -460,6 +460,12 @@ $ source venv/bin/activate $ pip-compile --generate-hashes --allow-unsafe --upgrade-package django --upgrade-package requests==2.0.0 ``` +Instead of running this command manually, you can use the following make entrypoint: + +```bash +$ make upgrade-dep package=requests==2.0.0 reqfile=requirements.in +``` + To install the dependencies with `pip`, you simply pass the requirements file(s) to the `-r` option and all the requirements in the file will be installed, even if the file was generated by `pip-compile`! With `pip-tools`, the command for installing dependencies is `pip-sync requirements.txt` (or any other file generated by `pip-compile`), however `pip-sync` will not only install the requirements, but it will also uninstall any packages or versions that do **not** match the one defined in the requirements file. diff --git a/mk/setup.mk b/mk/setup.mk index c10423503..84841d2e0 100644 --- a/mk/setup.mk +++ b/mk/setup.mk @@ -71,6 +71,11 @@ sync-deps: check-venv-active $(ps) requirements.txt devel-requirements.txt $$([ -f local-requirements.txt ] && echo 'local-requirements.txt') +.PHONY : upgrade-dep +upgrade-dep: check-venv-active + @echo ">upgrading specified packages" + $(pc) --allow-unsafe --generate-hashes --no-emit-index-url -P $(package) $(reqfile) + #*********************************** ### Update installed python packages based on requirements.txt both in local venv and in all containers #*********************************** From 10a4c5ad123b597583761a64e3314d4455c58869 Mon Sep 17 00:00:00 2001 From: Adrian Torres Date: Fri, 13 Jan 2023 12:03:27 +0100 Subject: [PATCH 2/2] Upgrade setuptools and wheel packages to latest security revision Addresses CVE-2022-40897 and CVE-2022-40898 which are unlikely to be exploitable within OSIDB but might as well patch it. --- devel-requirements.txt | 12 ++++++------ requirements.txt | 6 +++--- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/devel-requirements.txt b/devel-requirements.txt index 142fe27d0..d1e3229ec 100644 --- a/devel-requirements.txt +++ b/devel-requirements.txt @@ -754,9 +754,9 @@ websocket-client==1.2.1 \ --hash=sha256:0133d2f784858e59959ce82ddac316634229da55b498aac311f1620567a710ec \ --hash=sha256:8dfb715d8a992f5712fff8c843adae94e22b22a99b2c5e6b0ec4a1a981cc4e0d # via kubernetes -wheel==0.37.0 \ - --hash=sha256:21014b2bd93c6d0034b6ba5d35e4eb284340e09d63c59aef6fc14b0f346146fd \ - --hash=sha256:e2ef7239991699e3355d54f8e968a21bb940a1dbf34a4d226741e64462516fad +wheel==0.38.1 \ + --hash=sha256:7a95f9a8dc0924ef318bd55b616112c70903192f524d120acc614f59547a9e1f \ + --hash=sha256:ea041edf63f4ccba53ad6e035427997b3bb10ee88a4cd014ae82aeb9eea77bb9 # via pip-tools wrapt==1.13.3 \ --hash=sha256:086218a72ec7d986a3eddb7707c8c4526d677c7b35e355875a0fe2918b059179 \ @@ -893,9 +893,9 @@ pip==21.3.1 \ --hash=sha256:deaf32dcd9ab821e359cd8330786bcd077604b5c5730c0b096eda46f95c24a2d \ --hash=sha256:fd11ba3d0fdb4c07fbc5ecbba0b1b719809420f25038f8ee3cd913d3faa3033a # via pip-tools -setuptools==62.1.0 \ - --hash=sha256:26ead7d1f93efc0f8c804d9fafafbe4a44b179580a7105754b245155f9af05a8 \ - --hash=sha256:47c7b0c0f8fc10eec4cf1e71c6fdadf8decaa74ffa087e68cd1c20db7ad6a592 +setuptools==65.5.1 \ + --hash=sha256:d0b9a8433464d5800cbe05094acf5c6d52a91bfac9b52bcfc4d41382be5d5d31 \ + --hash=sha256:e197a19aa8ec9722928f2206f8de752def0e4c9fc6953527360d1c36d94ddb2f # via # -c requirements.txt # google-auth diff --git a/requirements.txt b/requirements.txt index 23543bced..31ad10ff7 100644 --- a/requirements.txt +++ b/requirements.txt @@ -793,9 +793,9 @@ zope.interface==5.4.0 \ # via gevent # The following packages are considered to be unsafe in a requirements file: -setuptools==62.1.0 \ - --hash=sha256:26ead7d1f93efc0f8c804d9fafafbe4a44b179580a7105754b245155f9af05a8 \ - --hash=sha256:47c7b0c0f8fc10eec4cf1e71c6fdadf8decaa74ffa087e68cd1c20db7ad6a592 +setuptools==65.5.1 \ + --hash=sha256:d0b9a8433464d5800cbe05094acf5c6d52a91bfac9b52bcfc4d41382be5d5d31 \ + --hash=sha256:e197a19aa8ec9722928f2206f8de752def0e4c9fc6953527360d1c36d94ddb2f # via # celery # gevent