Merge pull request #143 from maykinmedia/issue/security-updates

⬆️ [maykinmedia/open-api-framework#93] Security updates
maykinmedia · Jan 3, 2025 · 49f3b76 · 49f3b76
2 parents 88daa70 + 7bef3e6
commit 49f3b76
Show file tree

Hide file tree

Showing 8 changed files with 540 additions and 271 deletions.
diff --git a/bin/compile_dependencies.bat b/bin/compile_dependencies.bat
diff --git a/bin/compile_dependencies.sh b/bin/compile_dependencies.sh
@@ -1,44 +1,42 @@
-#!/bin/bash
-
+#!/bin/sh
 #
 # Compile the dependencies for production, CI and development.
 #
 # Usage, in the root of the project:
 #
 #     ./bin/compile_dependencies.sh
 #
-# Any extra flags/arguments passed to this wrapper script are passed down to pip-compile.
+# Any extra flags/arguments passed to this wrapper script are passed down to uv pip compile.
 # E.g. to update a package:
 #
 #     ./bin/compile_dependencies.sh --upgrade-package django
-
-
 set -ex
 
+command -v uv || (echo "uv not found on PATH. Install it https://astral.sh/uv" >&2 && exit 1)
+
+cwd="${PWD}"
 toplevel=$(git rev-parse --show-toplevel)
 
-cd $toplevel
+cd "${toplevel}"
+
+export UV_CUSTOM_COMPILE_COMMAND="./bin/compile_dependencies.sh"
 
 # Base (& prod) deps
-pip-compile \
-    --no-emit-index-url \
+uv pip compile \
+    --output-file requirements/base.txt \
     "$@" \
     requirements/base.in
 
-# Dependencies for CI
-pip-compile \
-    --no-emit-index-url \
+# Dependencies for testing
+uv pip compile \
     --output-file requirements/ci.txt \
     "$@" \
-    requirements/base.txt \
     requirements/test-tools.in \
-    requirements/ci.in
 
-# Dependencies for development
-pip-compile \
-    --no-emit-index-url \
+# Dev depedencies - exact same set as CI + some extra tooling
+uv pip compile \
     --output-file requirements/dev.txt \
     "$@" \
-    requirements/base.txt \
-    requirements/test-tools.in \
     requirements/dev.in
+
+cd "${cwd}"
diff --git a/requirements/base.txt b/requirements/base.txt
@@ -1,9 +1,5 @@
-#
-# This file is autogenerated by pip-compile with Python 3.11
-# by the following command:
-#
-#    pip-compile --no-emit-index-url requirements/base.in
-#
+# This file was autogenerated by uv via the following command:
+#    ./bin/compile_dependencies.sh
 amqp==5.1.1
     # via kombu
 annotated-types==0.7.0
@@ -73,7 +69,7 @@ cryptography==42.0.7
     #   mozilla-django-oidc
     #   pyopenssl
     #   webauthn
-django==4.2.15
+django==4.2.17
     # via
     #   commonground-api-common
     #   django-admin-index
@@ -170,7 +166,7 @@ django-solo==2.0.0
     #   notifications-api-common
     #   sharing-configs
     #   zgw-consumers
-django-two-factor-auth[phonenumberslite,webauthn]==1.16.0
+django-two-factor-auth==1.16.0
     # via maykin-2fa
 djangorestframework==3.15.2
     # via
@@ -194,10 +190,8 @@ drf-nested-routers==0.94.1
     # via
     #   -r requirements/base.in
     #   commonground-api-common
-drf-spectacular[sidecar]==0.27.2
-    # via
-    #   drf-spectacular
-    #   open-api-framework
+drf-spectacular==0.27.2
+    # via open-api-framework
 drf-spectacular-sidecar==2024.7.1
     # via drf-spectacular
 drf-yasg==1.21.7
@@ -230,7 +224,7 @@ isodate==0.6.1
     # via commonground-api-common
 itypes==1.2.0
     # via coreapi
-jinja2==3.1.4
+jinja2==3.1.5
     # via coreschema
 josepy==1.13.0
     # via mozilla-django-oidc
@@ -246,13 +240,13 @@ maykin-2fa==1.0.1
     # via open-api-framework
 mozilla-django-oidc==4.0.0
     # via mozilla-django-oidc-db
-mozilla-django-oidc-db[django-setup-configuration]==0.21.1
+mozilla-django-oidc-db==0.21.1
     # via
     #   -r requirements/base.in
     #   open-api-framework
 notifications-api-common==0.3.1
     # via commonground-api-common
-open-api-framework==0.9.1
+open-api-framework==0.9.2
     # via -r requirements/base.in
 orderedmultidict==1.0.1
     # via furl
@@ -276,10 +270,8 @@ pydantic==2.9.2
     #   pydantic-settings
 pydantic-core==2.23.4
     # via pydantic
-pydantic-settings[yaml]==2.6.1
-    # via
-    #   django-setup-configuration
-    #   pydantic-settings
+pydantic-settings==2.6.1
+    # via django-setup-configuration
 pyjwt==2.7.0
     # via
     #   commonground-api-common
@@ -329,6 +321,8 @@ requests-mock==1.12.1
     # via commonground-api-common
 sentry-sdk==2.12.0
     # via open-api-framework
+setuptools==75.6.0
+    # via josepy
 sharing-configs==0.1.2
     # via -r requirements/base.in
 six==1.16.0
@@ -342,7 +336,7 @@ six==1.16.0
     #   qrcode
 sqlparse==0.5.0
     # via django
-tornado==6.4.1
+tornado==6.4.2
     # via flower
 typing-extensions==4.11.0
     # via
@@ -382,6 +376,3 @@ zgw-consumers==0.35.1
     #   commonground-api-common
     #   notifications-api-common
     #   open-api-framework
-
-# The following packages are considered to be unsafe in a requirements file:
-# setuptools
diff --git a/requirements/ci.in b/requirements/ci.in