mirror of
https://github.com/ansible/awx.git
synced 2026-01-09 23:12:08 -03:30
d8737435fa
* Update Python dependencies Relaxed or updated version constraints for several dependencies in requirements files and Makefile, including Cython, asciichartpy, msgpack, python-daemon, and pyyaml. These changes address build issues, remove unnecessary pins, and update to newer compatible versions. * remove docutils license * we no longer have this as a dep so we don't need to carry its license * Update dependencies to address security vulnerabilities Bumped versions of cryptography, protobuf, and idna in requirements to address CVE-2024-26130, CVE-2025-4565, and CVE-2024-3651. These updates improve security by resolving known vulnerabilities in the affected packages. --------- Co-authored-by: thedoubl3j <jljacks93@gmail.com>
86 lines
2.6 KiB
Plaintext
86 lines
2.6 KiB
Plaintext
aiohttp>=3.11.6 # CVE-2024-52304
|
|
ansiconv==1.0.0 # UPGRADE BLOCKER: from 2013, consider replacing instead of upgrading
|
|
ansible-runner==2.4.1
|
|
jq # used for indirect host counting feature
|
|
asciichartpy<=1.5.7 # Unable to build from source for >1.5.7 due to missing README.md in PyPI sdist
|
|
asn1
|
|
azure-identity
|
|
azure-keyvault
|
|
boto3
|
|
botocore
|
|
channels
|
|
channels-redis
|
|
cryptography>=42.0.4 # CVE-2024-26130
|
|
Cython
|
|
daphne
|
|
distro
|
|
django==4.2.23 # CVE-2025-48432
|
|
django-auth-ldap
|
|
django-cors-headers
|
|
django-crum
|
|
django-extensions
|
|
django-guid==3.2.1
|
|
django-oauth-toolkit<2.0.0 # Version 2.0.0 has breaking changes that will need to be worked out before upgrading
|
|
django-polymorphic
|
|
django-pglocks
|
|
django-radius
|
|
django-solo
|
|
djangorestframework>=3.15.2
|
|
djangorestframework-yaml
|
|
dynaconf<4
|
|
filelock
|
|
GitPython>=3.1.37 # CVE-2023-41040
|
|
grpcio>=1.68.0 # CVE-2024-11407
|
|
irc
|
|
jinja2>=3.1.6 # CVE-2025-27516
|
|
JSON-log-formatter
|
|
jsonschema
|
|
Markdown # used for formatting API help
|
|
maturin # pydantic-core build dep
|
|
msgpack
|
|
msrestazure
|
|
OPA-python-client==2.0.2 # Code contain monkey patch targeted to 2.0.2 to fix https://github.com/Turall/OPA-python-client/issues/29
|
|
openshift
|
|
opentelemetry-api~=1.24 # new y streams can be drastically different, in a good way
|
|
opentelemetry-sdk~=1.24
|
|
opentelemetry-instrumentation-logging
|
|
opentelemetry-exporter-otlp
|
|
pexpect==4.7.0 # see library notes
|
|
prometheus_client
|
|
psycopg
|
|
psutil
|
|
pygerduty
|
|
PyGithub <= 2.6.0
|
|
pyopenssl>=23.2.0 # resolve dep conflict from cryptography pin above
|
|
pyparsing==2.4.6 # Upgrading to v3 of pyparsing introduce errors on smart host filtering: Expected 'or' term, found 'or' (at char 15), (line:1, col:16)
|
|
python-daemon
|
|
python-dsv-sdk>=1.0.4
|
|
python-tss-sdk>=1.2.1
|
|
python-ldap
|
|
pyyaml>=6.0.2
|
|
pyzstd # otel collector log file compression library
|
|
receptorctl==1.5.7
|
|
social-auth-core == 4.5.4 # hard pinned due to resolver picking CVE version when uncapped
|
|
social-auth-app-django==5.4.2 # see UPGRADE BLOCKERs
|
|
redis[hiredis]
|
|
requests
|
|
slack-sdk
|
|
tacacs_plus==1.0 # UPGRADE BLOCKER: auth does not work with later versions
|
|
twilio
|
|
twisted[tls]>=24.7.0 # CVE-2024-41810
|
|
urllib3>=1.26.19 # CVE-2024-37891
|
|
uWSGI>=2.0.28
|
|
uwsgitop
|
|
wheel>=0.38.1 # CVE-2022-40898
|
|
pip==21.2.4 # see UPGRADE BLOCKERs
|
|
setuptools==78.1.1 # see UPGRADE BLOCKERs
|
|
setuptools_scm[toml] # see UPGRADE BLOCKERs, xmlsec build dep
|
|
setuptools-rust>=0.11.4 # cryptography build dep
|
|
pkgconfig>=1.5.1 # xmlsec build dep - needed for offline build
|
|
django-flags>=5.0.13
|
|
protobuf>=4.25.8 # CVE-2025-4565
|
|
idna>=3.10 # CVE-2024-3651
|
|
# Temporarily added to use ansible-runner from git branch, to be removed
|
|
# when ansible-runner moves from requirements_git.txt to here
|
|
pbr
|