Upgrade Python Version and Several Other Packages for Security

.github/workflows/django-tests.yml

@@ -27,7 +27,7 @@ jobs:
     - name: Set up Python
       uses: actions/setup-python@v4
       with:
-        python-version: 3.9
+        python-version: 3.11
     - name: Install Dependencies
       run: |
         python -m pip install --upgrade pip

.github/workflows/mypy.yml

@@ -13,10 +13,10 @@ jobs:
 
     steps:
     - uses: actions/checkout@v3
-    - name: Set up Python 3.9
+    - name: Set up Python 3.11
       uses: actions/setup-python@v4
       with:
-        python-version: 3.9
+        python-version: 3.11
     - name: Install Dependencies
       run: |
         python -m pip install --upgrade pip

.github/workflows/pylint.yml

@@ -13,10 +13,10 @@ jobs:
 
     steps:
     - uses: actions/checkout@v3
-    - name: Set up Python 3.9
+    - name: Set up Python 3.11
       uses: actions/setup-python@v4
       with:
-        python-version: 3.9
+        python-version: 3.11
     - name: Install Dependencies
       run: |
         python -m pip install --upgrade pip

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.9
+FROM python:3.11
 
 ENV PYTHONUNBUFFERED 1
 

bookwyrm/activitypub/base_activity.py

@@ -20,6 +20,7 @@
 
 logger = logging.getLogger(__name__)
 
+# pylint: disable=invalid-name
 TBookWyrmModel = TypeVar("TBookWyrmModel", bound=base_model.BookWyrmModel)
 
 

bookwyrm/connectors/abstract_connector.py

@@ -3,7 +3,9 @@
 from abc import ABC, abstractmethod
 from typing import Optional, TypedDict, Any, Callable, Union, Iterator
 from urllib.parse import quote_plus
-import imghdr
+
+# pylint: disable-next=deprecated-module
+import imghdr  # Deprecated in 3.11 for removal in 3.13; no good alternative yet
 import logging
 import re
 import asyncio

dev-tools/Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.9-bookworm
+FROM python:3.11-bookworm
 WORKDIR /app/dev-tools
 
 ENV PATH="/app/dev-tools/node_modules/.bin:$PATH"

requirements.txt

@@ -1,57 +1,59 @@
 aiohttp==3.9.2
 bleach==5.0.1
-celery==5.2.7
+boto3==1.26.57
+bw-file-resubmit==0.6.0rc2
+celery==5.3.1
 colorthief==0.2.1
 Django==3.2.24
-django-celery-beat==2.4.0
-bw-file-resubmit==0.6.0rc2
-django-compressor==4.3.1
+django-celery-beat==2.5.0
+django-compressor==4.4
+django-csp==3.7
 django-imagekit==4.1.0
 django-model-utils==4.3.1
+django-redis==5.2.0
 django-sass-processor==1.2.2
-django-csp==3.7
+django-storages==1.13.2
+django-storages[azure]
 environs==9.5.0
-flower==1.2.0
+flower==2.0.0
+grpcio==1.57.0 # Not a direct dependency, pinned to get a security fix
 libsass==0.22.0
 Markdown==3.4.1
-Pillow==10.0.1
-psycopg2==2.9.5
-pycryptodome==3.19.1
-python-dateutil==2.8.2
-redis==4.5.4
-requests==2.31.0
-responses==0.22.0
-pytz>=2022.7
-boto3==1.26.57
-django-storages==1.13.2
-django-storages[azure]
-django-redis==5.2.0
 opentelemetry-api==1.16.0
 opentelemetry-exporter-otlp-proto-grpc==1.16.0
 opentelemetry-instrumentation-celery==0.37b0
 opentelemetry-instrumentation-django==0.37b0
 opentelemetry-instrumentation-psycopg2==0.37b0
 opentelemetry-sdk==1.16.0
+Pillow==10.0.1
 protobuf==3.20.*
+psycopg2==2.9.5
+pycryptodome==3.19.1
 pyotp==2.8.0
+python-dateutil==2.8.2
+pytz>=2022.7
 qrcode==7.3.1
+redis==4.5.4
+requests==2.31.0
+responses==0.22.0
+setuptools>=65.5.1 # Not a direct dependency, pinned to get a security fix
+tornado==6.3.3 # Not a direct dependency, pinned to get a security fix
 
 # Dev
-pytest-django==4.1.0
-pytest==6.1.2
+celery-types==0.18.0
+django-stubs[compatible-mypy]==4.2.4
+mypy==1.5.1
+pylint==2.15.0
+pytest==6.2.5
 pytest-cov==2.10.1
+pytest-django==4.1.0
 pytest-env==0.6.2
 pytest-xdist==2.3.0
 pytidylib==0.3.2
-pylint==2.14.0
-mypy==1.5.1
-celery-types==0.18.0
-django-stubs[compatible-mypy]==4.2.4
 types-bleach==6.0.0.4
 types-dataclasses==0.6.6
 types-Markdown==3.4.2.10
 types-Pillow==10.0.0.3
 types-psycopg2==2.9.21.11
 types-python-dateutil==2.8.19.14
 types-requests==2.31.0.2
-types-requests==2.31.0.2