Merge pull request #653 from crim-ca/update-requests

Merged as is to combine with #652 that as the other failing test, and which fails due to this PR fix not being integrated in it.
crim-ca · May 22, 2024 · 501b22f · 501b22f
2 parents 173b7aa + 61551ac
commit 501b22f
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -16,7 +16,13 @@ Changes:
 
 Fixes:
 ------
-- No change.
+- Pin ``requests!=2.32`` to avoid issue with ``docker-py`` custom adapter not (yet) supporting it
+  (relates to `psf/requests#6710 <https://github.com/psf/requests/pull/6710>`_
+  and `docker/docker-py#3257 <https://github.com/docker/docker-py/pull/3257>`_).
+  Pinning ``requests>=2.32.2`` *should* be applied when possible (when ``docker-py`` is released) to address
+  `CVE-2024-35195 <https://nvd.nist.gov/vuln/detail/CVE-2024-35195>`_. However, the corresponding ``verify=False``
+  option affected by this CVE is not recommended for use in `Weaver`, and should be avoided entirely anyway.
+  Could affect *requests options* if the corresponding ``verify: false`` configuration was employed.
 
 .. _changes_5.3.0:
 

diff --git a/requirements.txt b/requirements.txt
@@ -82,7 +82,11 @@ pytz
 pywps==4.6.0
 pyyaml>=5.2
 rdflib>=5  # pyup: ignore
-requests
+# FIXME: temporary workaround
+# 'requests=2.32' needed for CVE-2024-35195
+# (https://github.com/psf/requests/releases/tag/v2.32.0, https://github.com/psf/requests/pull/6710)
+# however, https://github.com/docker/docker-py/pull/3257 not yet released, 'docker-py' broken by 'requests=2.32' change
+requests!=2.32
 requests_file
 ruamel.yaml>=0.16
 # force use of later mistune (https://github.com/common-workflow-language/schema_salad/pull/619#issuecomment-1346025607)