External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-09 15:02:07 -03:30
Code Issues Packages Projects Releases Wiki Activity

[stable-2.6] Bump dependency (#7070)

Browse Source 
* Update Python dependencies

Relaxed or updated version constraints for several dependencies in requirements files and Makefile, including Cython, asciichartpy, msgpack, python-daemon, and pyyaml. These changes address build issues, remove unnecessary pins, and update to newer compatible versions.

* remove docutils license

* we no longer have this as a dep so we don't need to carry its license

* Update dependencies to address security vulnerabilities

Bumped versions of cryptography, protobuf, and idna in requirements to address CVE-2024-26130, CVE-2025-4565, and CVE-2024-3651. These updates improve security by resolving known vulnerabilities in the affected packages.

---------

Co-authored-by: thedoubl3j <jljacks93@gmail.com>
This commit is contained in:
Hao Liu 2025-08-28 17:36:28 -04:00 committed by thedoubl3j
parent bb46268eec
commit d8737435fa
No known key found for this signature in database
GPG Key ID: E84C42ACF75B0768
4 changed files with 25 additions and 157 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -77,7 +77,7 @@ RECEPTOR_IMAGE ?= quay.io/ansible/receptor:devel
SRC_ONLY_PKGS ?= cffi,pycparser,psycopg,twilio
# These should be upgraded in the AWX and Ansible venv before attempting
# to install the actual requirements
VENV_BOOTSTRAP ?= pip==21.2.4 setuptools==78.1.1 setuptools_scm[toml]==8.0.4 wheel==0.42.0 cython==0.29.37
VENV_BOOTSTRAP ?= pip==21.2.4 setuptools==78.1.1 setuptools_scm[toml]==8.0.4 wheel==0.42.0 cython==3.1.3
NAME ?= awx

137
licenses/docutils.txt
View File

@ -1,137 +0,0 @@
==================
Copying Docutils
==================
:Author: David Goodger
:Contact: goodger@python.org
:Date: $Date: 2015-05-08 17:56:32 +0200 (Fr, 08 Mai 2015) $
:Web site: http://docutils.sourceforge.net/
:Copyright: This document has been placed in the public domain.
Most of the files included in this project have been placed in the
public domain, and therefore have no license requirements and no
restrictions on copying or usage; see the `Public Domain Dedication`_
below. There are a few exceptions_, listed below.
Files in the Sandbox_ are not distributed with Docutils releases and
may have different license terms.
Public Domain Dedication
========================
The persons who have associated their work with this project (the
"Dedicator": David Goodger and the many contributors to the Docutils
project) hereby dedicate the entire copyright, less the exceptions_
listed below, in the work of authorship known as "Docutils" identified
below (the "Work") to the public domain.
The primary repository for the Work is the Internet World Wide Web
site <http://docutils.sourceforge.net/>. The Work consists of the
files within the "docutils" module of the Docutils project Subversion
repository (Internet host docutils.svn.sourceforge.net, filesystem path
/svnroot/docutils), whose Internet web interface is located at
<http://docutils.svn.sourceforge.net/viewvc/docutils/>. Files dedicated to the
public domain may be identified by the inclusion, near the beginning
of each file, of a declaration of the form::
Copyright: This document/module/DTD/stylesheet/file/etc. has been
placed in the public domain.
Dedicator makes this dedication for the benefit of the public at large
and to the detriment of Dedicator's heirs and successors. Dedicator
intends this dedication to be an overt act of relinquishment in
perpetuity of all present and future rights under copyright law,
whether vested or contingent, in the Work. Dedicator understands that
such relinquishment of all rights includes the relinquishment of all
rights to enforce (by lawsuit or otherwise) those copyrights in the
Work.
Dedicator recognizes that, once placed in the public domain, the Work
may be freely reproduced, distributed, transmitted, used, modified,
built upon, or otherwise exploited by anyone for any purpose,
commercial or non-commercial, and in any way, including by methods
that have not yet been invented or conceived.
(This dedication is derived from the text of the `Creative Commons
Public Domain Dedication`. [#]_)
.. [#] Creative Commons has `retired this legal tool`__ and does not
recommend that it be applied to works: This tool is based on United
States law and may not be applicable outside the US. For dedicating new
works to the public domain, Creative Commons recommend the replacement
Public Domain Dedication CC0_ (CC zero, "No Rights Reserved"). So does
the Free Software Foundation in its license-list_.
__ http://creativecommons.org/retiredlicenses
.. _CC0: http://creativecommons.org/about/cc0
Exceptions
==========
The exceptions to the `Public Domain Dedication`_ above are:
* docutils/writers/s5_html/themes/default/iepngfix.htc:
IE5.5+ PNG Alpha Fix v1.0 by Angus Turnbull
<http://www.twinhelix.com>. Free usage permitted as long as
this notice remains intact.
* docutils/utils/math/__init__.py,
docutils/utils/math/latex2mathml.py,
docutils/writers/xetex/__init__.py,
docutils/writers/latex2e/docutils-05-compat.sty,
docs/user/docutils-05-compat.sty.txt,
docutils/utils/error_reporting.py,
docutils/test/transforms/test_smartquotes.py:
Copyright © Günter Milde.
Released under the terms of the `2-Clause BSD license`_
(`local copy <licenses/BSD-2-Clause.txt>`__).
* docutils/utils/smartquotes.py
Copyright © 2011 Günter Milde,
based on `SmartyPants`_ © 2003 John Gruber
(released under a 3-Clause BSD license included in the file)
and smartypants.py © 2004, 2007 Chad Miller.
Released under the terms of the `2-Clause BSD license`_
(`local copy <licenses/BSD-2-Clause.txt>`__).
.. _SmartyPants: http://daringfireball.net/projects/smartypants/
* docutils/utils/math/math2html.py,
docutils/writers/html4css1/math.css
Copyright © Alex Fernández
These files are part of eLyXer_, released under the `GNU
General Public License`_ version 3 or later. The author relicensed
them for Docutils under the terms of the `2-Clause BSD license`_
(`local copy <licenses/BSD-2-Clause.txt>`__).
.. _eLyXer: http://www.nongnu.org/elyxer/
* docutils/utils/roman.py, copyright by Mark Pilgrim, released under the
`Python 2.1.1 license`_ (`local copy`__).
__ licenses/python-2-1-1.txt
* tools/editors/emacs/rst.el, copyright by Free Software Foundation,
Inc., released under the `GNU General Public License`_ version 3 or
later (`local copy`__).
__ licenses/gpl-3-0.txt
The `2-Clause BSD license`_ and the Python licenses are OSI-approved_
and GPL-compatible_.
Plaintext versions of all the linked-to licenses are provided in the
licenses_ directory.
.. _sandbox: http://docutils.sourceforge.net/sandbox/README.html
.. _licenses: licenses/
.. _Python 2.1.1 license: http://www.python.org/2.1.1/license.html
.. _GNU General Public License: http://www.gnu.org/copyleft/gpl.html
.. _2-Clause BSD license: http://www.spdx.org/licenses/BSD-2-Clause
.. _OSI-approved: http://opensource.org/licenses/
.. _license-list:
.. _GPL-compatible: http://www.gnu.org/licenses/license-list.html

14
requirements/requirements.in
View File

@ -2,7 +2,7 @@ aiohttp>=3.11.6 # CVE-2024-52304
ansiconv==1.0.0 # UPGRADE BLOCKER: from 2013, consider replacing instead of upgrading
ansible-runner==2.4.1
jq # used for indirect host counting feature
asciichartpy
asciichartpy<=1.5.7 # Unable to build from source for >1.5.7 due to missing README.md in PyPI sdist
asn1
azure-identity
azure-keyvault
@ -10,8 +10,8 @@ boto3
botocore
channels
channels-redis
cryptography>=41.0.7 # CVE-2023-49083
Cython<3 # due to https://github.com/yaml/pyyaml/pull/702
cryptography>=42.0.4 # CVE-2024-26130
Cython
daphne
distro
django==4.2.23 # CVE-2025-48432
@ -37,7 +37,7 @@ JSON-log-formatter
jsonschema
Markdown # used for formatting API help
maturin # pydantic-core build dep
msgpack<1.0.6 # 1.0.6+ requires cython>=3
msgpack
msrestazure
OPA-python-client==2.0.2 # Code contain monkey patch targeted to 2.0.2 to fix https://github.com/Turall/OPA-python-client/issues/29
openshift
@ -53,11 +53,11 @@ pygerduty
PyGithub <= 2.6.0
pyopenssl>=23.2.0 # resolve dep conflict from cryptography pin above
pyparsing==2.4.6 # Upgrading to v3 of pyparsing introduce errors on smart host filtering: Expected 'or' term, found 'or' (at char 15), (line:1, col:16)
python-daemon>3.0.0
python-daemon
python-dsv-sdk>=1.0.4
python-tss-sdk>=1.2.1
python-ldap
pyyaml>=6.0.1
pyyaml>=6.0.2
pyzstd # otel collector log file compression library
receptorctl==1.5.7
social-auth-core == 4.5.4 # hard pinned due to resolver picking CVE version when uncapped
@ -78,6 +78,8 @@ setuptools_scm[toml] # see UPGRADE BLOCKERs, xmlsec build dep
setuptools-rust>=0.11.4 # cryptography build dep
pkgconfig>=1.5.1 # xmlsec build dep - needed for offline build
django-flags>=5.0.13
protobuf>=4.25.8 # CVE-2025-4565
idna>=3.10 # CVE-2024-3651
# Temporarily added to use ansible-runner from git branch, to be removed
# when ansible-runner moves from requirements_git.txt to here
pbr

29
requirements/requirements.txt
View File

@ -22,7 +22,7 @@ ansible-runner==2.4.1
# via -r /awx_devel/requirements/requirements.in
ansiconv==1.0.0
# via -r /awx_devel/requirements/requirements.in
asciichartpy==1.5.25
asciichartpy==1.5.7
# via -r /awx_devel/requirements/requirements.in
asgiref==3.7.2
# via
@ -30,6 +30,7 @@ asgiref==3.7.2
# channels-redis
# daphne
# django
# django-ansible-base
# django-cors-headers
asn1==2.7.0
# via -r /awx_devel/requirements/requirements.in
@ -106,7 +107,7 @@ click==8.1.7
# via receptorctl
constantly==23.10.4
# via twisted
cryptography==41.0.7
cryptography==42.0.8
# via
# -r /awx_devel/requirements/requirements.in
# adal
@ -120,7 +121,7 @@ cryptography==41.0.7
# pyopenssl
# service-identity
# social-auth-core
cython==0.29.37
cython==3.1.3
# via -r /awx_devel/requirements/requirements.in
daphne==3.0.2
# via
@ -187,8 +188,6 @@ djangorestframework==3.15.2
# django-ansible-base
djangorestframework-yaml==2.0.0
# via -r /awx_devel/requirements/requirements.in
docutils==0.20.1
# via python-daemon
dynaconf==3.2.10
# via
# -r /awx_devel/requirements/requirements.in
@ -221,8 +220,9 @@ hyperlink==21.0.0
# via
# autobahn
# twisted
idna==3.6
idna==3.10
# via
# -r /awx_devel/requirements/requirements.in
# hyperlink
# requests
# twisted
@ -305,7 +305,7 @@ msal==1.26.0
# msal-extensions
msal-extensions==1.1.0
# via azure-identity
msgpack==1.0.5
msgpack==1.1.1
# via
# -r /awx_devel/requirements/requirements.in
# channels-redis
@ -363,7 +363,7 @@ opentelemetry-sdk==1.24.0
# opentelemetry-exporter-otlp-proto-http
opentelemetry-semantic-conventions==0.45b0
# via opentelemetry-sdk
packaging==23.2
packaging==25.0
# via
# ansible-runner
# msal-extensions
@ -384,8 +384,9 @@ propcache==0.2.0
# via
# aiohttp
# yarl
protobuf==4.25.3
protobuf==4.25.8
# via
# -r /awx_devel/requirements/requirements.in
# googleapis-common-protos
# opentelemetry-proto
psutil==5.9.8
@ -420,6 +421,7 @@ pygithub==2.6.0
pyjwt[crypto]==2.8.0
# via
# adal
# django-ansible-base
# msal
# pygithub
# social-auth-core
@ -434,7 +436,7 @@ pyparsing==2.4.6
# via -r /awx_devel/requirements/requirements.in
pyrad==2.4
# via django-radius
python-daemon==3.0.1
python-daemon==3.1.2
# via
# -r /awx_devel/requirements/requirements.in
# ansible-runner
@ -461,7 +463,7 @@ pytz==2024.1
# via
# irc
# tempora
pyyaml==6.0.1
pyyaml==6.0.2
# via
# -r /awx_devel/requirements/requirements.in
# ansible-runner
@ -485,6 +487,7 @@ requests==2.32.3
# -r /awx_devel/requirements/requirements.in
# adal
# azure-core
# django-ansible-base
# django-oauth-toolkit
# kubernetes
# msal
@ -551,7 +554,7 @@ tempora==5.5.1
# via
# irc
# jaraco-logging
tomli==2.0.1
tomli==2.2.1
# via
# incremental
# maturin
@ -585,6 +588,7 @@ urllib3==1.26.20
# via
# -r /awx_devel/requirements/requirements.in
# botocore
# django-ansible-base
# kubernetes
# pygithub
# requests
@ -619,7 +623,6 @@ setuptools==78.1.1
# autobahn
# incremental
# opentelemetry-instrumentation
# python-daemon
# setuptools-rust
# setuptools-scm
# zope-interface