Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update requirements.txt #82

Merged
merged 1 commit into from
Sep 17, 2018
Merged

Update requirements.txt #82

merged 1 commit into from
Sep 17, 2018

Conversation

relud
Copy link
Contributor

@relud relud commented Sep 17, 2018

github says we have security vulns in our python deps, but won't say where, so i updated all of them.

@relud relud requested a review from jklukas September 17, 2018 17:12
@relud relud force-pushed the update_requirements branch from 1136757 to b3d809c Compare September 17, 2018 17:14
@relud relud merged commit b3d809c into master Sep 17, 2018
@relud relud deleted the update_requirements branch September 17, 2018 17:17
@pdehaan
Copy link
Collaborator

pdehaan commented Sep 17, 2018

Should we enable pyup or something to keep the Python deps up to date?

Per https://github.com/mozilla-services/foxsec/blob/master/README.mediawiki#Security_Checklist

  • enable security scanning of 3rd-party libraries and dependencies
    • Use npm audit for node.js (see usage in FxA) (NB: there are open issues for handling exceptions)
    • For Python, enable pyup security updates:
      • Add a pyup config to your repo (example config: https://github.com/mozilla-services/antenna/blob/master/.pyup.yml)
      • Enable branch protection for master and other development branches. Make sure the approved-mozilla-pyup-configuration team CANNOT push to those branches.
      • From the "add a team" dropdown for your repo /settings page
        • Add the "Approved Mozilla PyUp Configuration" team for your github org (e.g. for mozilla and mozilla-services)
        • Grant it write permission so it can make pull requests
      • notify secops@mozilla.com to enable the integration in pyup

@relud
Copy link
Contributor Author

relud commented Sep 17, 2018

filed #83

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jklukas jklukas jklukas approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@relud @pdehaan @jklukas