From d8737435fa2d9490432114d719940bef65ef79c2 Mon Sep 17 00:00:00 2001 From: Hao Liu <44379968+TheRealHaoLiu@users.noreply.github.com> Date: Thu, 28 Aug 2025 17:36:28 -0400 Subject: [PATCH] [stable-2.6] Bump dependency (#7070) * Update Python dependencies Relaxed or updated version constraints for several dependencies in requirements files and Makefile, including Cython, asciichartpy, msgpack, python-daemon, and pyyaml. These changes address build issues, remove unnecessary pins, and update to newer compatible versions. * remove docutils license * we no longer have this as a dep so we don't need to carry its license * Update dependencies to address security vulnerabilities Bumped versions of cryptography, protobuf, and idna in requirements to address CVE-2024-26130, CVE-2025-4565, and CVE-2024-3651. These updates improve security by resolving known vulnerabilities in the affected packages. --------- Co-authored-by: thedoubl3j --- Makefile | 2 +- licenses/docutils.txt | 137 ---------------------------------- requirements/requirements.in | 14 ++-- requirements/requirements.txt | 29 +++---- 4 files changed, 25 insertions(+), 157 deletions(-) delete mode 100644 licenses/docutils.txt diff --git a/Makefile b/Makefile index 0148bfdeaa..31af902b30 100644 --- a/Makefile +++ b/Makefile @@ -77,7 +77,7 @@ RECEPTOR_IMAGE ?= quay.io/ansible/receptor:devel SRC_ONLY_PKGS ?= cffi,pycparser,psycopg,twilio # These should be upgraded in the AWX and Ansible venv before attempting # to install the actual requirements -VENV_BOOTSTRAP ?= pip==21.2.4 setuptools==78.1.1 setuptools_scm[toml]==8.0.4 wheel==0.42.0 cython==0.29.37 +VENV_BOOTSTRAP ?= pip==21.2.4 setuptools==78.1.1 setuptools_scm[toml]==8.0.4 wheel==0.42.0 cython==3.1.3 NAME ?= awx diff --git a/licenses/docutils.txt b/licenses/docutils.txt deleted file mode 100644 index ec5b3bd729..0000000000 --- a/licenses/docutils.txt +++ /dev/null @@ -1,137 +0,0 @@ -================== - Copying Docutils -================== - -:Author: David Goodger -:Contact: goodger@python.org -:Date: $Date: 2015-05-08 17:56:32 +0200 (Fr, 08 Mai 2015) $ -:Web site: http://docutils.sourceforge.net/ -:Copyright: This document has been placed in the public domain. - -Most of the files included in this project have been placed in the -public domain, and therefore have no license requirements and no -restrictions on copying or usage; see the `Public Domain Dedication`_ -below. There are a few exceptions_, listed below. -Files in the Sandbox_ are not distributed with Docutils releases and -may have different license terms. - - -Public Domain Dedication -======================== - -The persons who have associated their work with this project (the -"Dedicator": David Goodger and the many contributors to the Docutils -project) hereby dedicate the entire copyright, less the exceptions_ -listed below, in the work of authorship known as "Docutils" identified -below (the "Work") to the public domain. - -The primary repository for the Work is the Internet World Wide Web -site . The Work consists of the -files within the "docutils" module of the Docutils project Subversion -repository (Internet host docutils.svn.sourceforge.net, filesystem path -/svnroot/docutils), whose Internet web interface is located at -. Files dedicated to the -public domain may be identified by the inclusion, near the beginning -of each file, of a declaration of the form:: - - Copyright: This document/module/DTD/stylesheet/file/etc. has been - placed in the public domain. - -Dedicator makes this dedication for the benefit of the public at large -and to the detriment of Dedicator's heirs and successors. Dedicator -intends this dedication to be an overt act of relinquishment in -perpetuity of all present and future rights under copyright law, -whether vested or contingent, in the Work. Dedicator understands that -such relinquishment of all rights includes the relinquishment of all -rights to enforce (by lawsuit or otherwise) those copyrights in the -Work. - -Dedicator recognizes that, once placed in the public domain, the Work -may be freely reproduced, distributed, transmitted, used, modified, -built upon, or otherwise exploited by anyone for any purpose, -commercial or non-commercial, and in any way, including by methods -that have not yet been invented or conceived. - -(This dedication is derived from the text of the `Creative Commons -Public Domain Dedication`. [#]_) - -.. [#] Creative Commons has `retired this legal tool`__ and does not - recommend that it be applied to works: This tool is based on United - States law and may not be applicable outside the US. For dedicating new - works to the public domain, Creative Commons recommend the replacement - Public Domain Dedication CC0_ (CC zero, "No Rights Reserved"). So does - the Free Software Foundation in its license-list_. - - __ http://creativecommons.org/retiredlicenses - .. _CC0: http://creativecommons.org/about/cc0 - -Exceptions -========== - -The exceptions to the `Public Domain Dedication`_ above are: - -* docutils/writers/s5_html/themes/default/iepngfix.htc: - - IE5.5+ PNG Alpha Fix v1.0 by Angus Turnbull - . Free usage permitted as long as - this notice remains intact. - -* docutils/utils/math/__init__.py, - docutils/utils/math/latex2mathml.py, - docutils/writers/xetex/__init__.py, - docutils/writers/latex2e/docutils-05-compat.sty, - docs/user/docutils-05-compat.sty.txt, - docutils/utils/error_reporting.py, - docutils/test/transforms/test_smartquotes.py: - - Copyright © Günter Milde. - Released under the terms of the `2-Clause BSD license`_ - (`local copy `__). - -* docutils/utils/smartquotes.py - - Copyright © 2011 Günter Milde, - based on `SmartyPants`_ © 2003 John Gruber - (released under a 3-Clause BSD license included in the file) - and smartypants.py © 2004, 2007 Chad Miller. - Released under the terms of the `2-Clause BSD license`_ - (`local copy `__). - - .. _SmartyPants: http://daringfireball.net/projects/smartypants/ - -* docutils/utils/math/math2html.py, - docutils/writers/html4css1/math.css - - Copyright © Alex Fernández - These files are part of eLyXer_, released under the `GNU - General Public License`_ version 3 or later. The author relicensed - them for Docutils under the terms of the `2-Clause BSD license`_ - (`local copy `__). - - .. _eLyXer: http://www.nongnu.org/elyxer/ - -* docutils/utils/roman.py, copyright by Mark Pilgrim, released under the - `Python 2.1.1 license`_ (`local copy`__). - - __ licenses/python-2-1-1.txt - -* tools/editors/emacs/rst.el, copyright by Free Software Foundation, - Inc., released under the `GNU General Public License`_ version 3 or - later (`local copy`__). - - __ licenses/gpl-3-0.txt - -The `2-Clause BSD license`_ and the Python licenses are OSI-approved_ -and GPL-compatible_. - -Plaintext versions of all the linked-to licenses are provided in the -licenses_ directory. - -.. _sandbox: http://docutils.sourceforge.net/sandbox/README.html -.. _licenses: licenses/ -.. _Python 2.1.1 license: http://www.python.org/2.1.1/license.html -.. _GNU General Public License: http://www.gnu.org/copyleft/gpl.html -.. _2-Clause BSD license: http://www.spdx.org/licenses/BSD-2-Clause -.. _OSI-approved: http://opensource.org/licenses/ -.. _license-list: -.. _GPL-compatible: http://www.gnu.org/licenses/license-list.html diff --git a/requirements/requirements.in b/requirements/requirements.in index 28e0197cde..48dc040a42 100644 --- a/requirements/requirements.in +++ b/requirements/requirements.in @@ -2,7 +2,7 @@ aiohttp>=3.11.6 # CVE-2024-52304 ansiconv==1.0.0 # UPGRADE BLOCKER: from 2013, consider replacing instead of upgrading ansible-runner==2.4.1 jq # used for indirect host counting feature -asciichartpy +asciichartpy<=1.5.7 # Unable to build from source for >1.5.7 due to missing README.md in PyPI sdist asn1 azure-identity azure-keyvault @@ -10,8 +10,8 @@ boto3 botocore channels channels-redis -cryptography>=41.0.7 # CVE-2023-49083 -Cython<3 # due to https://github.com/yaml/pyyaml/pull/702 +cryptography>=42.0.4 # CVE-2024-26130 +Cython daphne distro django==4.2.23 # CVE-2025-48432 @@ -37,7 +37,7 @@ JSON-log-formatter jsonschema Markdown # used for formatting API help maturin # pydantic-core build dep -msgpack<1.0.6 # 1.0.6+ requires cython>=3 +msgpack msrestazure OPA-python-client==2.0.2 # Code contain monkey patch targeted to 2.0.2 to fix https://github.com/Turall/OPA-python-client/issues/29 openshift @@ -53,11 +53,11 @@ pygerduty PyGithub <= 2.6.0 pyopenssl>=23.2.0 # resolve dep conflict from cryptography pin above pyparsing==2.4.6 # Upgrading to v3 of pyparsing introduce errors on smart host filtering: Expected 'or' term, found 'or' (at char 15), (line:1, col:16) -python-daemon>3.0.0 +python-daemon python-dsv-sdk>=1.0.4 python-tss-sdk>=1.2.1 python-ldap -pyyaml>=6.0.1 +pyyaml>=6.0.2 pyzstd # otel collector log file compression library receptorctl==1.5.7 social-auth-core == 4.5.4 # hard pinned due to resolver picking CVE version when uncapped @@ -78,6 +78,8 @@ setuptools_scm[toml] # see UPGRADE BLOCKERs, xmlsec build dep setuptools-rust>=0.11.4 # cryptography build dep pkgconfig>=1.5.1 # xmlsec build dep - needed for offline build django-flags>=5.0.13 +protobuf>=4.25.8 # CVE-2025-4565 +idna>=3.10 # CVE-2024-3651 # Temporarily added to use ansible-runner from git branch, to be removed # when ansible-runner moves from requirements_git.txt to here pbr diff --git a/requirements/requirements.txt b/requirements/requirements.txt index e2a9f964dd..48089cea5e 100644 --- a/requirements/requirements.txt +++ b/requirements/requirements.txt @@ -22,7 +22,7 @@ ansible-runner==2.4.1 # via -r /awx_devel/requirements/requirements.in ansiconv==1.0.0 # via -r /awx_devel/requirements/requirements.in -asciichartpy==1.5.25 +asciichartpy==1.5.7 # via -r /awx_devel/requirements/requirements.in asgiref==3.7.2 # via @@ -30,6 +30,7 @@ asgiref==3.7.2 # channels-redis # daphne # django + # django-ansible-base # django-cors-headers asn1==2.7.0 # via -r /awx_devel/requirements/requirements.in @@ -106,7 +107,7 @@ click==8.1.7 # via receptorctl constantly==23.10.4 # via twisted -cryptography==41.0.7 +cryptography==42.0.8 # via # -r /awx_devel/requirements/requirements.in # adal @@ -120,7 +121,7 @@ cryptography==41.0.7 # pyopenssl # service-identity # social-auth-core -cython==0.29.37 +cython==3.1.3 # via -r /awx_devel/requirements/requirements.in daphne==3.0.2 # via @@ -187,8 +188,6 @@ djangorestframework==3.15.2 # django-ansible-base djangorestframework-yaml==2.0.0 # via -r /awx_devel/requirements/requirements.in -docutils==0.20.1 - # via python-daemon dynaconf==3.2.10 # via # -r /awx_devel/requirements/requirements.in @@ -221,8 +220,9 @@ hyperlink==21.0.0 # via # autobahn # twisted -idna==3.6 +idna==3.10 # via + # -r /awx_devel/requirements/requirements.in # hyperlink # requests # twisted @@ -305,7 +305,7 @@ msal==1.26.0 # msal-extensions msal-extensions==1.1.0 # via azure-identity -msgpack==1.0.5 +msgpack==1.1.1 # via # -r /awx_devel/requirements/requirements.in # channels-redis @@ -363,7 +363,7 @@ opentelemetry-sdk==1.24.0 # opentelemetry-exporter-otlp-proto-http opentelemetry-semantic-conventions==0.45b0 # via opentelemetry-sdk -packaging==23.2 +packaging==25.0 # via # ansible-runner # msal-extensions @@ -384,8 +384,9 @@ propcache==0.2.0 # via # aiohttp # yarl -protobuf==4.25.3 +protobuf==4.25.8 # via + # -r /awx_devel/requirements/requirements.in # googleapis-common-protos # opentelemetry-proto psutil==5.9.8 @@ -420,6 +421,7 @@ pygithub==2.6.0 pyjwt[crypto]==2.8.0 # via # adal + # django-ansible-base # msal # pygithub # social-auth-core @@ -434,7 +436,7 @@ pyparsing==2.4.6 # via -r /awx_devel/requirements/requirements.in pyrad==2.4 # via django-radius -python-daemon==3.0.1 +python-daemon==3.1.2 # via # -r /awx_devel/requirements/requirements.in # ansible-runner @@ -461,7 +463,7 @@ pytz==2024.1 # via # irc # tempora -pyyaml==6.0.1 +pyyaml==6.0.2 # via # -r /awx_devel/requirements/requirements.in # ansible-runner @@ -485,6 +487,7 @@ requests==2.32.3 # -r /awx_devel/requirements/requirements.in # adal # azure-core + # django-ansible-base # django-oauth-toolkit # kubernetes # msal @@ -551,7 +554,7 @@ tempora==5.5.1 # via # irc # jaraco-logging -tomli==2.0.1 +tomli==2.2.1 # via # incremental # maturin @@ -585,6 +588,7 @@ urllib3==1.26.20 # via # -r /awx_devel/requirements/requirements.in # botocore + # django-ansible-base # kubernetes # pygithub # requests @@ -619,7 +623,6 @@ setuptools==78.1.1 # autobahn # incremental # opentelemetry-instrumentation - # python-daemon # setuptools-rust # setuptools-scm # zope-interface