-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependencies to resolve security alerts #1146
base: main
Are you sure you want to change the base?
Conversation
c74b897
to
c0eff43
Compare
@@ -9,7 +9,7 @@ | |||
|
|||
@pytest.fixture | |||
def client(): | |||
with moto.mock_dynamodb2(): | |||
with moto.mock_aws(): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The new version of moto
has a slightly different interface, so we need to use mock_aws
.
c0eff43
to
29d7fe3
Compare
cd scripts && | ||
/var/lib/buildkite-agent/.local/bin/tox -e py3 | ||
- cd scripts | ||
- python3 -m venv venv && source venv/bin/activate |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Run tests in a virtual environment to prevent this confusing error message about incompatible package versions:
ERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
requests 2.25.1 requires chardet<5,>=3.0.2, but you have chardet 5.2.0 which is incompatible.
What does this change?
This should address the following Python security alerts:
end_to_end_bag_test
daily_reporter
scripts/tests
How to test
end_to_end_bag_test
anddaily_reporter
do not have any automated tests, so I tested both locally to make sure that the dependency updates do not break any functionality.How can we measure success?
Almost all Python-related security alerts in this repo are addressed. All critical security alerts are addressed.
Have we considered potential risks?
end_to_end_bag_test
ordaily_reporter
, but both of these services were tested locally and appear to function in exactly the same way as before. In the future, we should consider adding unit tests to make dependency updates easier.scripts/tests
only include test dependencies, so there is no risk of these changes breaking any production code.