Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[IQE-3104] Update packages #518

Merged
merged 2 commits into from
Oct 24, 2024
Merged

[IQE-3104] Update packages #518

merged 2 commits into from
Oct 24, 2024

Conversation

mshriver
Copy link
Contributor

@mshriver mshriver commented Oct 23, 2024
edited
Loading

Updating dependencies to address clair scan results from quay.io

Current Image

https://quay.io/repository/ibutsu/backend/tag/main?tab=securityreport

PR Image

https://quay.io/repository/ibutsu/backend/tag/pr-518?tab=securityreport

  • move dependency pins using uv
  • containerfile update
  • image builds and local/stage testing

https://issues.redhat.com/browse/IQE-3140

@mshriver mshriver added backend dependencies Pull requests that update a dependency file labels Oct 23, 2024
@mshriver mshriver changed the title Update packages [IQE-3104] Update packages Oct 23, 2024
LightOfHeaven1994
LightOfHeaven1994 approved these changes Oct 23, 2024
View reviewed changes
Copy link
Collaborator

@LightOfHeaven1994 LightOfHeaven1994 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mshriver generally looks good, thanks for putting doc lines for the workflow! But we need to make sure different package versions are not breaking our app. I remember that some versions were pinned on purpose

@mshriver mshriver marked this pull request as draft October 23, 2024 15:49
@mshriver mshriver force-pushed the update-security-packages branch from 79a97bf to 2a469bd Compare October 23, 2024 15:51
@mshriver
Copy link
Contributor Author

I left connexion, flask, and sqlalchemy pinned where they currently are because the updates for these packages are major, and will break things.

I opened #516 and #517 to capture the need to migrate our implementation to update to the next version.

Everything else I went over the changelog for the project and verified there weren't (documented) breaking changes.

I'm going to deploy these images to stage and test there for behavioral changes or errors popping up.

@mshriver
Copy link
Contributor Author

I did include a move here from python-jose to pyJWT, as we were only using the encode/decode functions which are provided by the more actively supported project.

@mshriver mshriver force-pushed the update-security-packages branch from 2a469bd to 3982ae3 Compare October 24, 2024 07:59
@mshriver
Create pinned requirements with UV
cc86c60 
Update docs for pinned requirements

Update backend dockerfiles for pinned req

Migrate to pythonjwt
python-jose was raising a CVE and is rotting
@mshriver mshriver force-pushed the update-security-packages branch from 3982ae3 to cc86c60 Compare October 24, 2024 08:00
@mshriver mshriver marked this pull request as ready for review October 24, 2024 08:10
@mshriver mshriver merged commit da89f4e into ibutsu:main Oct 24, 2024
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LightOfHeaven1994 LightOfHeaven1994 LightOfHeaven1994 approved these changes

@jjaquish jjaquish Awaiting requested review from jjaquish

Assignees
No one assigned
Labels
backend dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mshriver @LightOfHeaven1994