Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Python packages to patch security issues reported by Dependabot #815

Merged
merged 1 commit into from
Dec 7, 2024
Merged

Update Python packages to patch security issues reported by Dependabot #815

merged 1 commit into from
Dec 7, 2024

Conversation

eecavanna
Copy link
Collaborator

In this branch, I updated some Python packages in order to get some security patches.

Details

I updated the python-multipart package specification in main.in to ensure the version that gets installed includes a security patch. This update was prompted by Dependabot alert 8; i.e. https://github.com/microbiomedata/nmdc-runtime/security/dependabot/8.

After updating that package, I synchronized the transitive dependencies and confirmed that tornado (which is a transitive dependency, not a direct one) was updated to version 6.4.2, which is what Dependabot recommended in its alert 7; i.e. https://github.com/microbiomedata/nmdc-runtime/security/dependabot/7.

Related issue(s)

Related subsystem(s)

  • Runtime API (except the Minter)
  • Minter
  • Dagster
  • Project documentation (in the docs directory)
  • Translators (metadata ingest pipelines)
  • MongoDB migrations
  • Other

Dependencies. I think a bunch of applications in this repo share the same dependency list. I am not sure which things use these particular packages. I assume it's at least the Runtime API.

Testing

  • I tested these changes (explain below)
  • I did not test these changes

I will leave this to the GitHub Actions workflows.

Documentation

  • I have not checked for relevant documentation yet (e.g. in the docs directory)
  • I have updated all relevant documentation so it will remain accurate
  • Other (explain below)

Maintainability

  • Every Python function I defined includes a docstring (test functions are exempt from this)
  • Every Python function parameter I introduced includes a type hint (e.g. study_id: str)
  • All "to do" or "fix me" Python comments I added begin with either # TODO or # FIXME
  • I used black to format all the Python files I created/modified
  • The PR title is in the imperative mood (e.g. "Do X") and not the declarative mood (e.g. "Does X" or "Did X")

@eecavanna eecavanna self-assigned this Dec 6, 2024
@eecavanna
Copy link
Collaborator Author

The command I used to "sync deps" was:

docker compose run --rm -it --no-deps fastapi make update-deps

That saved me from having to spin up the entire Docker Compose stack.

This was referenced Dec 6, 2024
Closed
Closed
@eecavanna
Copy link
Collaborator Author

Merging security-related bumps to dependency versions before Monday's freeze of main.

@eecavanna eecavanna merged commit 67a694d into main Dec 7, 2024
1 check passed
@eecavanna eecavanna deleted the fix-dependabot-alerts-7-and-8 branch December 7, 2024 18:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dwinston dwinston Awaiting requested review from dwinston

@PeopleMakeCulture PeopleMakeCulture Awaiting requested review from PeopleMakeCulture

Assignees

@eecavanna eecavanna

Labels
None yet
Projects
No open projects
2024 - Sprint 51 - December 2 - 13, 2024
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@eecavanna