Update dependencies with security fixes (#2596)

ohcnetwork · Nov 25, 2024 · fbc6157 · fbc6157
1 parent a7130cf
commit fbc6157
Show file tree

Hide file tree

Showing 18 changed files with 715 additions and 798 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -5,7 +5,7 @@
   "hostRequirements": {
     "cpus": 4
   },
-  "image": "mcr.microsoft.com/devcontainers/python:1-3.11-bookworm",
+  "image": "mcr.microsoft.com/devcontainers/python:1-3.13-bookworm",
   "features": {
     "ghcr.io/devcontainers/features/docker-in-docker:2": {},
     "ghcr.io/devcontainers/features/node:1": {},
@@ -20,5 +20,5 @@
   },
   "postCreateCommand": "echo 'eval \"$(direnv hook bash)\"' >> ~/.bashrc && cp .env.example .env",
   "postStartCommand": "make up",
-  "forwardPorts": [8000, 9000, 4000]
+  "forwardPorts": [4566, 8000, 9000, 4000]
 }
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,4 +1,4 @@
-default_stages: [commit]
+default_stages: [pre-commit]
 
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
@@ -17,7 +17,7 @@ repos:
       - id: check-toml
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.7.0
+    rev: v0.7.3
     hooks:
       - id: ruff
         args: [ --fix ]

diff --git a/Pipfile b/Pipfile
@@ -6,17 +6,17 @@ name = "pypi"
 [packages]
 argon2-cffi = "==23.1.0"
 authlib = "==1.3.2"
-boto3 = "==1.35.49"
+boto3 = "==1.35.59"
 celery = "==5.4.0"
-django = "==5.1.2"
+django = "==5.1.3"
 django-environ = "==0.11.2"
-django-cors-headers = "==4.5.0"
+django-cors-headers = "==4.6.0"
 django-filter = "==24.3"
 django-maintenance-mode = "==0.21.1"
 django-queryset-csv = "==1.1.0"
 django-ratelimit = "==4.1.0"
 django-redis = "==5.4.0"
-django-rest-passwordreset = "==1.4.2"
+django-rest-passwordreset = "==1.5.0"
 django-simple-history = "==3.7.0"
 djangoql = "==0.18.1"
 djangorestframework = "==3.15.2"
@@ -35,34 +35,34 @@ pydantic = "==1.10.18" # fix for fhir.resources < 7.0.2
 pyjwt = "==2.9.0"
 python-slugify = "==8.0.4"
 pywebpush = "==2.0.1"
-redis = { extras = ["hiredis"], version = "==5.0.8" } # constraint for redis-om
-redis-om = "==0.3.1" # > 0.3.1 broken with pydantic < 2
+redis = { extras = ["hiredis"], version = "==5.2.0" }
+redis-om = "==0.3.3"
 requests = "==2.32.3"
-sentry-sdk = "==2.17.0"
-whitenoise = "==6.7.0"
+sentry-sdk = "==2.18.0"
+whitenoise = "==6.8.2"
 
 [dev-packages]
-boto3-stubs = { extras = ["s3", "boto3"], version = "==1.35.49" }
+boto3-stubs = { extras = ["s3", "boto3"], version = "*" }
 coverage = "==7.6.4"
-debugpy = "==1.8.7"
+debugpy = "==1.8.8"
 django-coverage-plugin = "==3.1.0"
 django-extensions = "==3.2.3"
 django-silk = "==5.2.0"
 djangorestframework-stubs = "==3.15.1"
 factory-boy = "==3.3.1"
 freezegun = "==1.5.1"
-ipython = "==8.28.0"
-mypy = "==1.12.1"
+ipython = "==8.29.0"
+mypy = "==1.13.0"
 pre-commit = "==4.0.1"
 requests-mock = "==1.12.1"
 tblib = "==3.0.0"
-watchdog = "==5.0.3"
-werkzeug = "==3.0.6"
-ruff = "==0.7.0"
+watchdog = "==6.0.0"
+werkzeug = "==3.1.3"
+ruff = "==0.7.3"
 
 [docs]
 furo = "==2024.8.6"
-sphinx = "==8.0.2"
+sphinx = "==8.1.3"
 myst-parser = "==4.0.0"
 
 [requires]

diff --git a/Pipfile.lock b/Pipfile.lock
diff --git a/care/users/tests/test_auth.py b/care/users/tests/test_auth.py
@@ -136,7 +136,12 @@ def test_forgot_password_with_valid_input(self):
         self.assertTrue(ResetPasswordToken.objects.filter(user=self.user).exists())
         self.assertTrue(ResetPasswordToken.objects.filter(user=self.user).exists())
 
-    @override_settings(IS_PRODUCTION=True)
+    @override_settings(
+        IS_PRODUCTION=True,
+        EMAIL_HOST="",
+        EMAIL_HOST_USER="",
+        EMAIL_HOST_PASSWORD="",
+    )
     def test_forgot_password_without_email_configration(self):
         response = self.client.post(
             "/api/v1/password_reset/",

diff --git a/docker-compose.pre-built.yaml b/docker-compose.pre-built.yaml
@@ -4,7 +4,7 @@ services:
     image: "ghcr.io/ohcnetwork/care:latest"
     env_file:
       - ./docker/.prebuilt.env
-    entrypoint: [ "bash", "start-ecs.sh" ]
+    entrypoint: [ "bash", "start.sh" ]
     restart: unless-stopped
     depends_on:
       db:
@@ -20,7 +20,7 @@ services:
     image: "ghcr.io/ohcnetwork/care:latest"
     env_file:
       - ./docker/.prebuilt.env
-    entrypoint: [ "bash", "celery_worker-ecs.sh" ]
+    entrypoint: [ "bash", "celery_worker.sh" ]
     restart: unless-stopped
     depends_on:
       db:
@@ -34,7 +34,7 @@ services:
     image: "ghcr.io/ohcnetwork/care:latest"
     env_file:
       - ./docker/.prebuilt.env
-    entrypoint: [ "bash", "celery_beat-ecs.sh" ]
+    entrypoint: [ "bash", "celery_beat.sh" ]
     restart: unless-stopped
     depends_on:
       - db

diff --git a/docker/dev.Dockerfile b/docker/dev.Dockerfile
@@ -1,8 +1,12 @@
 FROM python:3.13-slim-bookworm
 
 ARG TYPST_VERSION=0.11.0
+ARG APP_HOME=/app
 
-ENV PATH=/venv/bin:$PATH
+WORKDIR $APP_HOME
+
+ENV PATH=/.venv/bin:$PATH
+ENV PIPENV_CACHE_DIR=/root/.cache/pip
 
 RUN apt-get update && apt-get install --no-install-recommends -y \
   build-essential libjpeg-dev zlib1g-dev libgmp-dev \
@@ -27,21 +31,21 @@ RUN ARCH=$(dpkg --print-architecture) && \
     rm -rf typst.tar.xz typst-${TYPST_ARCH}
 
 # use pipenv to manage virtualenv
-RUN python -m venv /venv
-RUN pip install pipenv==2024.2.0
+RUN pip install pipenv==2024.4.0
 
-COPY Pipfile Pipfile.lock ./
-RUN pipenv install --system --categories "packages dev-packages"
+RUN python -m venv /.venv
+COPY Pipfile Pipfile.lock $APP_HOME/
+RUN --mount=type=cache,target=/root/.cache/pip pipenv  install --system --categories "packages dev-packages docs"
 
-COPY . /app
+COPY plugs/ $APP_HOME/plugs/
+COPY install_plugins.py plug_config.py $APP_HOME/
+RUN --mount=type=cache,target=/root/.cache/pip python3 $APP_HOME/install_plugins.py
 
-RUN python3 /app/install_plugins.py
+COPY . $APP_HOME/
 
 HEALTHCHECK \
   --interval=10s \
   --timeout=5s \
   --start-period=10s \
   --retries=48 \
-  CMD ["/app/scripts/healthcheck.sh"]
-
-WORKDIR /app
+  CMD ["./scripts/healthcheck.sh"]
diff --git a/docker/prod.Dockerfile b/docker/prod.Dockerfile
@@ -7,18 +7,24 @@ ARG BUILD_ENVIRONMENT="production"
 ARG APP_VERSION="unknown"
 ARG ADDITIONAL_PLUGS=""
 
+WORKDIR $APP_HOME
+
 ENV BUILD_ENVIRONMENT=$BUILD_ENVIRONMENT
 ENV APP_VERSION=$APP_VERSION
 ENV ADDITIONAL_PLUGS=$ADDITIONAL_PLUGS
 ENV PYTHONUNBUFFERED=1
 ENV PYTHONDONTWRITEBYTECODE=1
-ENV PATH=/venv/bin:$PATH
+ENV PIPENV_VENV_IN_PROJECT=1
+ENV PIPENV_CACHE_DIR=/root/.cache/pip
+ENV PATH=$APP_HOME/.venv/bin:$PATH
 
-WORKDIR $APP_HOME
 
 # ---
 FROM base AS builder
 
+RUN addgroup --system django \
+  && adduser --system --ingroup django django
+
 RUN apt-get update && apt-get install --no-install-recommends -y \
   build-essential libjpeg-dev zlib1g-dev libgmp-dev libpq-dev git wget \
   && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
@@ -40,14 +46,14 @@ RUN ARCH=$(dpkg --print-architecture) && \
     rm -rf typst.tar.xz typst-${TYPST_ARCH}
 
 # use pipenv to manage virtualenv
-RUN python -m venv /venv
-RUN pip install pipenv==2024.2.0
+RUN pip install pipenv==2024.4.0
 
-COPY Pipfile Pipfile.lock $APP_HOME
-RUN pipenv sync --system --categories "packages"
+RUN python -m venv $APP_HOME/.venv
+COPY Pipfile Pipfile.lock $APP_HOME/
+RUN pipenv install --deploy --categories "packages"
 
 COPY plugs/ $APP_HOME/plugs/
-COPY install_plugins.py plug_config.py $APP_HOME
+COPY install_plugins.py plug_config.py $APP_HOME/
 RUN python3 $APP_HOME/install_plugins.py
 
 # ---
@@ -60,17 +66,19 @@ RUN apt-get update && apt-get install --no-install-recommends -y \
 
 COPY --from=builder --chmod=0755 /usr/local/bin/typst /usr/local/bin/typst
 
-COPY --from=builder /venv /venv
+COPY --from=builder --chown=django:django $APP_HOME/.venv $APP_HOME/.venv
+
+COPY --chmod=0755 --chown=django:django ./scripts/*.sh $APP_HOME
 
-COPY --chmod=0755 ./scripts/*.sh $APP_HOME
+COPY --chown=django:django . $APP_HOME
 
-COPY . $APP_HOME
+USER django
 
 HEALTHCHECK \
   --interval=30s \
   --timeout=5s \
   --start-period=10s \
   --retries=12 \
-  CMD ["/app/healthcheck.sh"]
+  CMD ["./healthcheck.sh"]
 
 EXPOSE 9000
diff --git a/scripts/celery-dev.sh b/scripts/celery-dev.sh
@@ -1,35 +1,13 @@
 #!/bin/bash
-
 printf "celery" > /tmp/container-role
 
-if [ -z "${DATABASE_URL}" ]; then
-    export DATABASE_URL="postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}"
-fi
-
-postgres_ready() {
-python << END
-import sys
-
-import psycopg
-
-try:
-    psycopg.connect(conninfo="${DATABASE_URL}")
-except psycopg.OperationalError as e:
-    print(e)
-    sys.exit(-1)
-sys.exit(0)
-
-END
-}
+set -euo pipefail
 
-until postgres_ready; do
-  >&2 echo 'Waiting for PostgreSQL to become available...'
-  sleep 1
-done
->&2 echo 'PostgreSQL is available'
+./scripts/wait_for_db.sh
+./scripts/wait_for_redis.sh
 
 python manage.py migrate --noinput
-python manage.py compilemessages
+python manage.py compilemessages -v 0
 python manage.py load_redis_index
 
 

diff --git a/scripts/celery_beat-ecs.sh b/scripts/celery_beat-ecs.sh
@@ -1,37 +1,3 @@
 #!/bin/bash
-printf "celery-beat" > /tmp/container-role
-
-if [ -z "${DATABASE_URL}" ]; then
-    export DATABASE_URL="postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}"
-fi
-
-postgres_ready() {
-python << END
-import sys
-
-import psycopg
-
-try:
-    psycopg.connect(conninfo="${DATABASE_URL}")
-except psycopg.OperationalError as e:
-    print(e)
-    sys.exit(-1)
-sys.exit(0)
-
-END
-}
-
-until postgres_ready; do
-  >&2 echo 'Waiting for PostgreSQL to become available...'
-  sleep 1
-done
->&2 echo 'PostgreSQL is available'
-
-python manage.py migrate --noinput
-python manage.py compilemessages
-python manage.py load_redis_index
-python manage.py load_event_types
-
-touch /tmp/healthy
-
-celery --app=config.celery_app beat --loglevel=info
+echo "This script is deprecated. Use celery_beat.sh instead."
+exec "$(dirname "$0")/celery_beat.sh"
diff --git a/scripts/celery_beat.sh b/scripts/celery_beat.sh
@@ -1,38 +1,21 @@
 #!/bin/bash
 printf "celery-beat" > /tmp/container-role
 
-if [ -z "${DATABASE_URL}" ]; then
-    export DATABASE_URL="postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}"
-fi
-
-postgres_ready() {
-python << END
-import sys
-
-import psycopg
+set -euo pipefail
 
-try:
-    psycopg.connect(conninfo="${DATABASE_URL}")
-except psycopg.OperationalError as e:
-    print(e)
-    sys.exit(-1)
-sys.exit(0)
-
-END
-}
-
-until postgres_ready; do
-  >&2 echo 'Waiting for PostgreSQL to become available...'
-  sleep 1
-done
->&2 echo 'PostgreSQL is available'
+./wait_for_db.sh
+./wait_for_redis.sh
 
 python manage.py migrate --noinput
-python manage.py compilemessages
+python manage.py compilemessages -v 0
 python manage.py load_redis_index
 python manage.py load_event_types
 
 touch /tmp/healthy
 
 export NEW_RELIC_CONFIG_FILE=/etc/newrelic.ini
-newrelic-admin run-program celery --app=config.celery_app beat --loglevel=info
+if [[ -f "$NEW_RELIC_CONFIG_FILE" ]]; then
+    newrelic-admin run-program celery --app=config.celery_app beat --loglevel=info
+else
+    celery --app=config.celery_app beat --loglevel=info
+fi
diff --git a/scripts/celery_worker-ecs.sh b/scripts/celery_worker-ecs.sh
@@ -1,10 +1,3 @@
 #!/bin/bash
-printf "celery-worker" > /tmp/container-role
-
-if [ -z "${DATABASE_URL}" ]; then
-    export DATABASE_URL="postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}"
-fi
-
-python manage.py collectstatic --noinput
-python manage.py compilemessages
-celery --app=config.celery_app worker --max-tasks-per-child=6 --loglevel=info
+echo "This script is deprecated. Use celery_worker.sh instead."
+exec "$(dirname "$0")/celery_worker.sh"