diff --git a/audits/s4cmd-requirements.audit.json b/audits/s4cmd-requirements.audit.json deleted file mode 100644 index 30e38a0f..00000000 --- a/audits/s4cmd-requirements.audit.json +++ /dev/null @@ -1,244 +0,0 @@ -[ - { - "package": { - "name": "urllib3", - "version": "2.0.7", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "s4cmd-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-06-25T02:48:33Z", - "published": "2024-06-17T21:37:20Z", - "schema_version": "1.6.0", - "id": "GHSA-34jh-p97f-mpxf", - "aliases": [ - "CGA-2vvm-h2g8-jrwc", - "CGA-32mf-hm7c-cqmg", - "CGA-3ggr-w55x-hf5j", - "CGA-5v3j-934q-gj4m", - "CGA-69g4-mv22-46cq", - "CGA-8f64-fgpv-jxj2", - "CGA-grjq-jh3q-2p7g", - "CGA-gwpm-7fhq-3wh2", - "CGA-h28r-8q2c-xq96", - "CGA-j235-35vq-wrm8", - "CGA-mrr8-97mj-749q", - "CGA-rqhm-766h-p289", - "CGA-w3h9-h7jv-6q22", - "CVE-2024-37891" - ], - "summary": "urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects ", - "details": "When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected.\n\nHowever, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects.\n\nBecause this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident.\n\nUsers should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach.\n\n## Affected usages\n\nWe believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:\n\n* Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support.\n* Not disabling HTTP redirects.\n* Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin.\n\n## Remediation\n\n* Using the `Proxy-Authorization` header with urllib3's `ProxyManager`.\n* Disabling HTTP redirects using `redirects=False` when sending requests.\n* Not using the `Proxy-Authorization` header.", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "urllib3", - "purl": "pkg:pypi/urllib3" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "1.26.19" - } - ] - } - ], - "versions": [ - "0.2", - "0.3", - "0.3.1", - "0.4.0", - "0.4.1", - "1.0", - "1.0.1", - "1.0.2", - "1.1", - "1.10", - "1.10.1", - "1.10.2", - "1.10.3", - "1.10.4", - "1.11", - "1.12", - "1.13", - "1.13.1", - "1.14", - "1.15", - "1.15.1", - "1.16", - "1.17", - "1.18", - "1.18.1", - "1.19", - "1.19.1", - "1.2", - "1.2.1", - "1.2.2", - "1.20", - "1.21", - "1.21.1", - "1.22", - "1.23", - "1.24", - "1.24.1", - "1.24.2", - "1.24.3", - "1.25", - "1.25.1", - "1.25.10", - "1.25.11", - "1.25.2", - "1.25.3", - "1.25.4", - "1.25.5", - "1.25.6", - "1.25.7", - "1.25.8", - "1.25.9", - "1.26.0", - "1.26.1", - "1.26.10", - "1.26.11", - "1.26.12", - "1.26.13", - "1.26.14", - "1.26.15", - "1.26.16", - "1.26.17", - "1.26.18", - "1.26.2", - "1.26.3", - "1.26.4", - "1.26.5", - "1.26.6", - "1.26.7", - "1.26.8", - "1.26.9", - "1.3", - "1.4", - "1.5", - "1.6", - "1.7", - "1.7.1", - "1.8", - "1.8.2", - "1.8.3", - "1.9", - "1.9.1" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-34jh-p97f-mpxf/GHSA-34jh-p97f-mpxf.json" - } - }, - { - "package": { - "ecosystem": "PyPI", - "name": "urllib3", - "purl": "pkg:pypi/urllib3" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "2.0.0" - }, - { - "fixed": "2.2.2" - } - ] - } - ], - "versions": [ - "2.0.0", - "2.0.1", - "2.0.2", - "2.0.3", - "2.0.4", - "2.0.5", - "2.0.6", - "2.0.7", - "2.1.0", - "2.2.0", - "2.2.1" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-34jh-p97f-mpxf/GHSA-34jh-p97f-mpxf.json" - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37891" - }, - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468" - }, - { - "type": "WEB", - "url": "https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e" - }, - { - "type": "PACKAGE", - "url": "https://github.com/urllib3/urllib3" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-669" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-06-17T21:37:20Z", - "nvd_published_at": "2024-06-17T20:15:13Z", - "severity": "MODERATE" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-34jh-p97f-mpxf" - ], - "aliases": [ - "CGA-2vvm-h2g8-jrwc", - "CGA-32mf-hm7c-cqmg", - "CGA-3ggr-w55x-hf5j", - "CGA-5v3j-934q-gj4m", - "CGA-69g4-mv22-46cq", - "CGA-8f64-fgpv-jxj2", - "CGA-grjq-jh3q-2p7g", - "CGA-gwpm-7fhq-3wh2", - "CGA-h28r-8q2c-xq96", - "CGA-j235-35vq-wrm8", - "CGA-mrr8-97mj-749q", - "CGA-rqhm-766h-p289", - "CGA-w3h9-h7jv-6q22", - "CVE-2024-37891", - "GHSA-34jh-p97f-mpxf" - ], - "max_severity": "4.4" - } - ] - } -] \ No newline at end of file diff --git a/requirements/copier-requirements.txt b/requirements/copier-requirements.txt index acc3bcf7..eeaa26af 100644 --- a/requirements/copier-requirements.txt +++ b/requirements/copier-requirements.txt @@ -1,6 +1,6 @@ annotated-types==0.7.0 colorama==0.4.6 -dunamai==1.21.1 +dunamai==1.21.2 funcy==2.0 jinja2==3.1.4 jinja2-ansible-filters==1.3.2 diff --git a/requirements/dstack-requirements.txt b/requirements/dstack-requirements.txt index 3b72df80..547cceef 100644 --- a/requirements/dstack-requirements.txt +++ b/requirements/dstack-requirements.txt @@ -2,13 +2,13 @@ aiohttp==3.9.5 aiorwlock==1.4.0 aiosignal==1.3.1 aiosqlite==0.20.0 -alembic==1.13.1 +alembic==1.13.2 anyio==4.4.0 apscheduler==3.10.4 attrs==23.2.0 azure-common==1.1.28 azure-core==1.30.2 -azure-identity==1.16.1 +azure-identity==1.17.1 azure-mgmt-authorization==4.0.0 azure-mgmt-compute==31.0.0 azure-mgmt-core==1.4.0 @@ -16,8 +16,8 @@ azure-mgmt-network==25.4.0 azure-mgmt-resource==23.1.1 azure-mgmt-subscription==3.1.1 bcrypt==4.1.3 -boto3==1.34.128 -botocore==1.34.128 +boto3==1.34.134 +botocore==1.34.134 cached-classproperty==1.0.1 cachetools==5.3.3 charset-normalizer==3.3.2 @@ -25,31 +25,32 @@ click==8.1.7 cursor==1.3.5 dnspython==2.6.1 docker==7.1.0 -email-validator==2.1.2 +email-validator==2.2.0 fastapi==0.111.0 fastapi-cli==0.0.4 -filelock==3.15.1 +filelock==3.15.4 frozenlist==1.4.1 git-url-parse==1.2.2 gitdb==4.0.11 gitpython==3.1.43 -google-api-core==2.19.0 -google-api-python-client==2.133.0 +google-api-core==2.19.1 +google-api-python-client==2.134.0 google-auth==2.30.0 google-auth-httplib2==0.2.0 google-cloud-appengine-logging==1.4.3 google-cloud-audit-log==0.2.5 -google-cloud-billing==1.13.3 +google-cloud-billing==1.13.4 google-cloud-compute==1.19.0 google-cloud-core==2.4.1 google-cloud-logging==3.10.0 google-cloud-storage==2.17.0 +google-cloud-tpu==1.18.3 google-crc32c==1.5.0 google-resumable-media==2.7.1 -googleapis-common-protos==1.63.1 +googleapis-common-protos==1.63.2 gpuhunt==0.0.10 greenlet==3.0.3 -grpc-google-iam-v1==0.13.0 +grpc-google-iam-v1==0.13.1 grpcio==1.64.1 grpcio-status==1.62.2 h11==0.14.0 @@ -67,8 +68,8 @@ mako==1.3.5 markdown-it-py==3.0.0 markupsafe==2.1.5 mdurl==0.1.2 -msal==1.28.1 -msal-extensions==1.1.0 +msal==1.29.0 +msal-extensions==1.2.0 msrest==0.7.1 multidict==6.0.5 oauthlib==3.2.2 @@ -76,12 +77,12 @@ orjson==3.10.5 packaging==24.1 paramiko==3.4.0 pbr==6.0.0 -portalocker==2.8.2 -proto-plus==1.23.0 +portalocker==2.10.0 +proto-plus==1.24.0 protobuf==4.25.3 pyasn1==0.6.0 pyasn1-modules==0.4.0 -pydantic==1.10.16 +pydantic==1.10.17 pydantic-duality==1.2.0 pygments==2.18.0 pyjwt==2.8.0 @@ -101,14 +102,14 @@ rich==13.7.1 rich-argparse==1.5.2 rpds-py==0.18.1 rsa==4.9 -s3transfer==0.10.1 -sentry-sdk==2.5.1 +s3transfer==0.10.2 +sentry-sdk==2.7.0 shellingham==1.5.4 simple-term-menu==1.6.4 six==1.16.0 smmap==5.0.1 sniffio==1.3.1 -sqlalchemy==2.0.30 +sqlalchemy==2.0.31 sqlalchemy-utils==0.41.2 starlette==0.37.2 tqdm==4.66.4 diff --git a/requirements/s4cmd-requirements.txt b/requirements/s4cmd-requirements.txt index 2c008753..8781a742 100644 --- a/requirements/s4cmd-requirements.txt +++ b/requirements/s4cmd-requirements.txt @@ -1,8 +1,8 @@ -boto3==1.34.47 -botocore==1.34.47 +boto3==1.34.136 +botocore==1.34.136 jmespath==1.0.1 -python-dateutil==2.8.2 +python-dateutil==2.9.0.post0 pytz==2024.1 -s3transfer==0.10.0 +s3transfer==0.10.2 six==1.16.0 -urllib3==2.0.7 +urllib3==2.2.2 diff --git a/requirements/ykman-requirements.txt b/requirements/ykman-requirements.txt index 49d0edac..25ebb7c5 100644 --- a/requirements/ykman-requirements.txt +++ b/requirements/ykman-requirements.txt @@ -6,5 +6,5 @@ jaraco-functools==4.0.1 jeepney==0.8.0 keyring==25.2.1 more-itertools==10.3.0 -pyscard==2.0.8 +pyscard==2.0.10 secretstorage==3.3.3