Update requests package, and others
#50
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is primarily to resolve a vulnerability: CVE-2018-18074 [1] (It's not clear to me that an https-to-http redirect is very feasible, so this seems like a pretty difficult vulnerability to harness, but it's probably worth fixing anyway.) Since it's difficult [2] to upgrade just individual parts of the lockfile, and since it's not all that important to only upgrade `requests`, this commit upgrades everything. In particular, pyyaml is upgraded to 3.13 and jenkins-job-builder is upgraded from 3e7ad9692655450fe26371770ec87a17e2a0b23a to 1940ed63e06949d4224d64e12afae437d9d0c089. [1]: psf/requests#4716, https://github.com/CruGlobal/jenkins-jobs/network/alert/Pipfile.lock/requests/open [2]: pypa/pipenv#966 (Which is way too long of a thread, but the gist is pipenv now has a --selective-upgrade option but it doesn't work right)
|
The Pipfile isn't really used on jenkins-lab or jenkins-prod; cru-ansible does its own dependency installation on jenkins. This is mainly used if we want to build/rebuild jobs from our laptops instead. |
mikealbert
approved these changes
Oct 30, 2018
|
Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is primarily to resolve a vulnerability: CVE-2018-18074 (github alert)
(It's not clear to me that an https-to-http redirect is very feasible,
so this seems like a pretty difficult vulnerability to harness,
but it's probably worth fixing anyway.)
Since it's difficult to upgrade just individual parts of the lockfile,
and since it's not all that important to only upgrade
requests,this PR upgrades everything in one commit.
In particular, pyyaml is upgraded to 3.13 and jenkins-job-builder
is upgraded from 3e7ad9692655450fe26371770ec87a17e2a0b23a to
1940ed63e06949d4224d64e12afae437d9d0c089.
(This also removes a host-environment-markers section; presumably it's something newer pipenv versions don't use, but I didn't dig into it.)