Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update requests in requirements.txt to avoid vulnerability #585

Merged
merged 1 commit into from
Dec 22, 2023
Merged

Update requests in requirements.txt to avoid vulnerability #585

merged 1 commit into from
Dec 22, 2023

Conversation

Lohrer
Copy link
Collaborator

@Lohrer Lohrer commented Dec 22, 2023
edited
Loading

What does this change intend to accomplish?

I recently discovered https://github.com/micro-nova/AmpliPi/security/dependabot, and while I don't know anything about npm I took a look at the pip packages. Most of them aren't upgradeable until we get a new Python version, but requests can be upgraded to avoid https://github.com/micro-nova/AmpliPi/security/dependabot/4.

Checklist

  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?
  • Does your submission pass linting & tests? You can test on localhost using ./scripts/test

@Lohrer Lohrer added the dependencies Pull requests that update a dependency file label Dec 22, 2023
@Lohrer Lohrer requested a review from rtertiaer December 22, 2023 16:00
rtertiaer
rtertiaer approved these changes Dec 22, 2023
View reviewed changes
Copy link
Contributor

@rtertiaer rtertiaer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

our usage of the requests api appears to be explicitly the .get and .post methods, and some exception names. these are extremely unlikely to have broken within the 2.x series (if they semantically version) and mypy would catch that; i feel comfy shipping it with very little extra testing help on our part.

@Lohrer Lohrer merged commit 132a762 into main Dec 22, 2023
3 checks passed
@Lohrer Lohrer deleted the dependabot/requests branch December 22, 2023 17:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rtertiaer rtertiaer rtertiaer approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Lohrer @rtertiaer