-
-
Notifications
You must be signed in to change notification settings - Fork 584
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make CI happy again #2310
Make CI happy again #2310
Conversation
well, this raised a bunch more issues. I'll look into the failing CI jobs EDIT: at least the lint job passes 😅 |
Looking at the MacOS failures, I see e.g. for the Python 3.8 job (https://github.com/PyCQA/isort/actions/runs/12178407083/job/33968333999?pr=2310)
It looks like this job is actually running most commands with Python 3.13? The poetry install step reports
EDIT: further looking, it looks like all the MacOS jobs are run on Python 3.13, but the Ubuntu ones are
so it looks like it's using the system Python and not the one installed with the |
32b3407
to
e1fe80d
Compare
There's currently an inconsistent failure with error
I say inconsistent because I saw it:
I'll address this in the future (I expect it will go away with some dependency bumps, if it shows up again) |
7cc8ed2
to
e1fe80d
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2310 +/- ##
=======================================
Coverage 99.15% 99.15%
=======================================
Files 39 39
Lines 3091 3091
Branches 748 785 +37
=======================================
Hits 3065 3065
Misses 15 15
Partials 11 11 |
e1fe80d
to
729c53f
Compare
This requires handling upstream (see linked issue), trying to bump this dependency errored with: Because mkdocs-material (9.5.32) depends on mkdocs (>=1.6,<2.0) and portray (1.8.0) depends on mkdocs (>=1.3.0,<1.4.0), mkdocs-material (9.5.32) is incompatible with portray (1.8.0). And because no versions of portray match >1.8.0, mkdocs-material (9.5.32) is incompatible with portray (>=1.8.0). So, because isort depends on both portray (>=1.8.0) and mkdocs-material (9.5.32), version solving failed.
Bump `jinja` -> Vulnerability found in jinja2 version 3.1.3 Vulnerability ID: 71591 Affected spec: <3.1.4 ADVISORY: Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute... CVE-2024-34064 For more information, please visit https://data.safetycli.com/v/71591/f17 Bump `anyio` -> Vulnerability found in anyio version 4.1.0 Vulnerability ID: 71199 Affected spec: <4.4.0 ADVISORY: Anyio version 4.4.0 addresses a thread race condition in `_eventloop.get_asynclib()` that caused crashes when multiple event loops... PVE-2024-71199 For more information, please visit https://data.safetycli.com/v/71199/f17 Bump `bandit` -> Vulnerability found in bandit version 1.7.6 Vulnerability ID: 64484 Affected spec: <1.7.7 ADVISORY: Bandit 1.7.7 identifies the str.replace method as a potential risk for SQL injection because it can be misused in constructing... PVE-2024-64484 For more information, please visit https://data.safetycli.com/v/64484/f17 Bump `certifi` -> Vulnerability found in certifi version 2023.11.17 Vulnerability ID: 72083 Affected spec: >=2021.05.30,<2024.07.04 ADVISORY: Certifi affected versions recognized root certificates from GLOBALTRUST. Certifi patch removes these root certificates from the root... CVE-2024-39689 For more information, please visit https://data.safetycli.com/v/72083/f17 Bump `idna` -> Vulnerability found in idna version 3.6 Vulnerability ID: 67895 Affected spec: <3.7 ADVISORY: Affected versions of Idna are vulnerable to Denial Of Service via the idna.encode(), where a specially crafted argument could... CVE-2024-3651 For more information, please visit https://data.safetycli.com/v/67895/f17 Bump `requests` -> Vulnerability found in requests version 2.31.0 Vulnerability ID: 71064 Affected spec: <2.32.2 ADVISORY: Affected versions of Requests, when making requests through a Requests `Session`, if the first request is made with `verify=False` to... CVE-2024-35195 For more information, please visit https://data.safetycli.com/v/71064/f17 Bump `setuptools` -> Vulnerability found in requests version 2.31.0 Vulnerability ID: 71064 Affected spec: <2.32.2 ADVISORY: Affected versions of Requests, when making requests through a Requests `Session`, if the first request is made with `verify=False` to... CVE-2024-35195 For more information, please visit https://data.safetycli.com/v/71064/f17 Bump `tornado` -> Vulnerability found in tornado version 6.4 Vulnerability ID: 71957 Affected spec: <=6.4.0 ADVISORY: When Tornado receives a request with two Transfer-Encoding: chunked headers, it ignores them both. This enables request smuggling when... PVE-2024-71957 For more information, please visit https://data.safetycli.com/v/71957/f17 -> Vulnerability found in tornado version 6.4 Vulnerability ID: 71956 Affected spec: <6.4.1 ADVISORY: Tornado’s curl_httpclient.CurlAsyncHTTPClient class is vulnerable to CRLF (carriage return/line feed) injection in the request... PVE-2024-71956 For more information, please visit https://data.safetycli.com/v/71956/f17 Bump `urllib3` -> Vulnerability found in urllib3 version 2.1.0 Vulnerability ID: 71608 Affected spec: >=2.0.0a1,<=2.2.1 ADVISORY: Urllib3's ProxyManager ensures that the Proxy-Authorization header is correctly directed only to configured proxies. However, when... CVE-2024-37891 For more information, please visit https://data.safetycli.com/v/71608/f17 Bump `zipp` -> Vulnerability found in zipp version 3.17.0 Vulnerability ID: 72132 Affected spec: <3.19.1 ADVISORY: A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library. The vulnerability is triggered when processing a... CVE-2024-5569 For more information, please visit https://data.safetycli.com/v/72132/f17 Bump `virutalenv` -> Vulnerability found in virtualenv version 20.25.0 Vulnerability ID: 73456 Affected spec: <20.26.6 ADVISORY: Affected versions of the virtualenv package are vulnerable to command injection. This vulnerability could allow an attacker to execute arbitrary commands by exploiting improperly quoted string placeholders in activation scripts. The vulnerable functions include various shell activation scripts where placeholders like __VIRTUAL_ENV__ are used. The exploitability depends on the ability to control the input to these placeholders. Users are advised to update to the version where a quoting mechanism has been implemented to mitigate this... PVE-2024-73456 For more information, please visit https://data.safetycli.com/v/73456/f17
-> Vulnerability found in black version 23.11.0 Vulnerability ID: 66742 Affected spec: <24.3.0 ADVISORY: Affected versions of Black are vulnerable to Regular Expression Denial of Service (ReDoS) via the... CVE-2024-21503 For more information, please visit https://data.safetycli.com/v/66742/f17 Also re-run `black` to pick up any changes from the new version and update some unit test that relied on how black formats.
`pipx` is installed on all the runners by default, but using this means `pipx` is run with the system Python, and not the one installed with `steup-python`. This was noticed when e.g. the MacOS Python 3.9 job would report: creating virtual environment... creating shared libraries... upgrading shared libraries... installing poetry... done! ✨ 🌟 ✨ installed package poetry 1.3.1, installed using Python 3.13.0 These apps are now globally available - poetry Poetry (version 1.3.1) Python 3.13.0 is the system version pre-installed on these runners[1], and a similar pattern was seen on the Ubuntu and Windows runners. An alternative would be to add an install step for `pipx` but this feels simpler Link: https://github.com/actions/runner-images/blob/de16eefce8361c24c716958843d8c87cb1c25990/images/macos/macos-14-Readme.md [1]
This is to address an error seen on some Python 3.12 runners: <-- SNIP --> File "/Library/Frameworks/Python.framework/Versions/3.12/lib/python3.12/site-packages/pip/_vendor/pkg_resources/__init__.py", line 2164, in <module> register_finder(pkgutil.ImpImporter, find_on_path) ^^^^^^^^^^^^^^^^^^^ AttributeError: module 'pkgutil' has no attribute 'ImpImporter'. Did you mean: 'zipimporter'? ^^^^^^^^^^^^^^^^^^^ This looks to be the issue[1] fixed in Pip 23.2 so use that verison Link: pypa/pip#11501 [1]
729c53f
to
846b64d
Compare
I accidentally deleted the source branch while cleaning up branches on my fork, re-created this PR: #2311 |
The motiviation here is to just get CI passing. It started with me just
bumping some dependencies to fix security alerts, but this raised some
further issues. The focus here was to make things pass with the minimum
amount of changes, I think there's still some more work to bring some
dependencies up-to-date but this is a starting point.
The different types of changes are separated into the different commits
on this branch.
Update poetry dev naming
Following the warning
Update the name and run
poetry.lock
, this is also because the upcomingchanges would add the
groups = ["dev"]
line to updated dependenciesanyway, so change them all now to avoid noise later
Bump some dependencies for security fixes
Bump
jinja
Bump
anyio
Bump
bandit
Bump
certifi
Bump
idna
Bump
requests
Bump
setuptools
Bump
tornado
Bump
urllib3
Bump
zipp
Bump
virutalenv
Update
black
Also re-run
black
to pick up any changes from the new version andupdate some unit test that relied on how black formats.
Ignore security issue with
mkdocs-material
This requires handling upstream (see linked issue), trying to bump this
dependency errored with:
CI: use
pip
over `pipx for poetry installpipx
is installed on all the runners by default, but using this meanspipx
is run with the system Python, and not the one installed withsteup-python
. This was noticed when e.g. the MacOS Python 3.9 jobwould report:
Python 3.13.0 is the system version pre-installed on these runners[1],
and a similar pattern was seen on the Ubuntu and Windows runners. An
alternative would be to add an install step for
pipx
but this feelssimpler
Link: https://github.com/actions/runner-images/blob/de16eefce8361c24c716958843d8c87cb1c25990/images/macos/macos-14-Readme.md [1]
Update
pip
for GitHub runnerThis is to address an error seen on some Python 3.12 runners:
This looks to be the issue[1] fixed in Pip 23.2 so use that verison
Link: pip's vendored pkg_resources should stop using pkgutil.ImpImporter pypa/pip#11501 [1]