Skip to content

Commit

Permalink
Pin vulnerable dependencies
Browse files Browse the repository at this point in the history
- certifi@^2023.7.22 and cryptography@^41.0.2
- Added a section to pyproject.toml to house pinned deps + the reason why they're pinned
  • Loading branch information
whabanks committed Nov 20, 2023
1 parent 3bf74e5 commit e436710
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 25 deletions.
62 changes: 38 additions & 24 deletions poetry.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 5 additions & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@ click-datetime = "0.2"
gevent = "23.9.0"
gunicorn = "20.1.0"
iso8601 = "2.0.0"
idna = "2.10" # pinned to align with test moto dependency requirements (for <=2.9)
jsonschema = "3.2.0"
marshmallow-sqlalchemy = "0.29.0"
marshmallow = "3.20.1"
Expand Down Expand Up @@ -71,6 +70,11 @@ typing-extensions = "4.7.1"
greenlet = "2.0.2"
simple-salesforce = "^1.12.3"

# Pinned dependencies
certifi = "^2023.7.22" # pinned for security reasons: https://github.com/cds-snc/notification-api/security/dependabot/119
cryptography = "^41.0.2" # pinned for security reasons: https://github.com/cds-snc/notification-api/security/dependabot/118
idna = "2.10" # pinned to align with test moto dependency requirements (for <=2.9)

[tool.poetry.group.test.dependencies]
flake8 = "6.1.0"
isort = "5.12.0"
Expand Down

0 comments on commit e436710

Please sign in to comment.