⬆️ [maykinmedia/open-api-framework#93] Security updates

.github/workflows/oaf-check.yml

@@ -23,7 +23,7 @@ jobs:
           cache: 'pip'
           cache-dependency-path: 'requirements/dev.txt'
       - name: Install dependencies
-        run: pip install $(grep "pip-tools==" requirements/dev.txt)
+        run: pip install uv
       - name: Run compile dependencies
         run: ./bin/compile_dependencies.sh --upgrade-package open-api-framework
 

bin/compile_dependencies.sh

@@ -1,44 +1,43 @@
-#!/bin/bash
-
+#!/bin/sh
 #
 # Compile the dependencies for production, CI and development.
 #
 # Usage, in the root of the project:
 #
 #     ./bin/compile_dependencies.sh
 #
-# Any extra flags/arguments passed to this wrapper script are passed down to pip-compile.
+# Any extra flags/arguments passed to this wrapper script are passed down to uv pip compile.
 # E.g. to update a package:
 #
 #     ./bin/compile_dependencies.sh --upgrade-package django
-
-
 set -ex
 
+command -v uv || (echo "uv not found on PATH. Install it https://astral.sh/uv" >&2 && exit 1)
+
+cwd="${PWD}"
 toplevel=$(git rev-parse --show-toplevel)
 
-cd $toplevel
+cd "${toplevel}"
+
+export UV_CUSTOM_COMPILE_COMMAND="./bin/compile_dependencies.sh"
 
 # Base (& prod) deps
-pip-compile \
-    --no-emit-index-url \
+uv pip compile \
+    --output-file requirements/base.txt \
     "$@" \
     requirements/base.in
 
 # Dependencies for testing
-pip-compile \
-    --no-emit-index-url \
+uv pip compile \
     --output-file requirements/ci.txt \
     "$@" \
-    requirements/base.txt \
     requirements/test-tools.in \
-    requirements/ci.in
+    requirements/docs.in
 
-# Dev depedencies
-pip-compile \
-    --no-emit-index-url \
+# Dev depedencies - exact same set as CI + some extra tooling
+uv pip compile \
     --output-file requirements/dev.txt \
     "$@" \
-    requirements/base.txt \
-    requirements/test-tools.in \
     requirements/dev.in
+
+cd "${cwd}"

requirements/base.txt

@@ -1,9 +1,5 @@
-#
-# This file is autogenerated by pip-compile with Python 3.11
-# by the following command:
-#
-#    pip-compile --no-emit-index-url requirements/base.in
-#
+# This file was autogenerated by uv via the following command:
+#    ./bin/compile_dependencies.sh
 amqp==5.2.0
     # via kombu
 annotated-types==0.7.0
@@ -74,7 +70,7 @@ cryptography==42.0.4
     #   mozilla-django-oidc
     #   pyopenssl
     #   webauthn
-django==4.2.15
+django==4.2.17
     # via
     #   commonground-api-common
     #   django-admin-index
@@ -169,7 +165,7 @@ django-solo==2.2.0
     #   mozilla-django-oidc-db
     #   notifications-api-common
     #   zgw-consumers
-django-two-factor-auth[phonenumberslite,webauthn]==1.17.0
+django-two-factor-auth==1.17.0
     # via maykin-2fa
 djangorestframework==3.15.2
     # via
@@ -191,7 +187,7 @@ djangorestframework-inclusions==1.2.0
     # via open-api-framework
 drf-nested-routers==0.94.1
     # via commonground-api-common
-drf-spectacular[sidecar]==0.27.2
+drf-spectacular==0.27.2
     # via open-api-framework
 drf-spectacular-sidecar==2024.7.1
     # via drf-spectacular
@@ -228,7 +224,7 @@ isodate==0.6.0
     # via commonground-api-common
 itypes==1.2.0
     # via coreapi
-jinja2==3.1.4
+jinja2==3.1.5
     # via coreschema
 josepy==1.9.0
     # via mozilla-django-oidc
@@ -244,15 +240,15 @@ maykin-2fa==1.0.1
     # via open-api-framework
 mozilla-django-oidc==4.0.0
     # via mozilla-django-oidc-db
-mozilla-django-oidc-db[setup-configuration]==0.21.1
+mozilla-django-oidc-db==0.21.1
     # via
     #   -r requirements/base.in
     #   open-api-framework
-notifications-api-common[setup-configuration]==0.4.0
+notifications-api-common==0.4.0
     # via
     #   -r requirements/base.in
     #   commonground-api-common
-open-api-framework==0.9.1
+open-api-framework==0.9.2
     # via -r requirements/base.in
 orderedmultidict==1.0.1
     # via furl
@@ -276,7 +272,7 @@ pydantic==2.9.2
     #   pydantic-settings
 pydantic-core==2.23.4
     # via pydantic
-pydantic-settings[yaml]==2.6.1
+pydantic-settings==2.6.1
     # via django-setup-configuration
 pyjwt==2.4.0
     # via
@@ -327,6 +323,8 @@ requests-mock==1.12.1
     # via commonground-api-common
 sentry-sdk==2.12.0
     # via open-api-framework
+setuptools==75.6.0
+    # via josepy
 six==1.16.0
     # via
     #   bleach
@@ -337,7 +335,7 @@ six==1.16.0
     #   qrcode
 sqlparse==0.5.0
     # via django
-tornado==6.4.1
+tornado==6.4.2
     # via flower
 typing-extensions==4.9.0
     # via
@@ -372,12 +370,9 @@ webencodings==0.5.1
     # via bleach
 wrapt==1.14.1
     # via elastic-apm
-zgw-consumers[setup-configuration]==0.36.1
+zgw-consumers==0.36.1
     # via
     #   -r requirements/base.in
     #   commonground-api-common
     #   notifications-api-common
     #   open-api-framework
-
-# The following packages are considered to be unsafe in a requirements file:
-# setuptools