From 407b69c39b7e2cab71e184e832c7a05d05785d24 Mon Sep 17 00:00:00 2001 From: Jan Wille Date: Sun, 8 Jan 2023 15:35:40 +0100 Subject: [PATCH 1/8] lockfile: updated gitpython version the old version was flagged as comprimised --- poetry.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/poetry.lock b/poetry.lock index b89e5fcb..5cf30084 100644 --- a/poetry.lock +++ b/poetry.lock @@ -214,7 +214,7 @@ smmap = ">=3.0.1,<6" [[package]] name = "gitpython" -version = "3.1.29" +version = "3.1.30" description = "GitPython is a python library used to interact with Git repositories" category = "dev" optional = false @@ -855,7 +855,7 @@ testing = ["flake8 (<5)", "func-timeout", "jaraco.functools", "jaraco.itertools" [metadata] lock-version = "1.1" python-versions = ">=3.8" -content-hash = "dd681b8807f124172ca907812f2250d6beeceb2bdf196cb9e63282d794d84963" +content-hash = "fda1da54dd378e90e1341752a1e070fd86b3129fd6315389633284c5cc971e21" [metadata.files] alabaster = [ @@ -935,8 +935,8 @@ gitdb = [ {file = "gitdb-4.0.10.tar.gz", hash = "sha256:6eb990b69df4e15bad899ea868dc46572c3f75339735663b81de79b06f17eb9a"}, ] gitpython = [ - {file = "GitPython-3.1.29-py3-none-any.whl", hash = "sha256:41eea0deec2deea139b459ac03656f0dd28fc4a3387240ec1d3c259a2c47850f"}, - {file = "GitPython-3.1.29.tar.gz", hash = "sha256:cc36bfc4a3f913e66805a28e84703e419d9c264c1077e537b54f0e1af85dbefd"}, + {file = "GitPython-3.1.30-py3-none-any.whl", hash = "sha256:cd455b0000615c60e286208ba540271af9fe531fa6a87cc590a7298785ab2882"}, + {file = "GitPython-3.1.30.tar.gz", hash = "sha256:769c2d83e13f5d938b7688479da374c4e3d49f71549aaf462b646db9602ea6f8"}, ] identify = [ {file = "identify-2.5.10-py2.py3-none-any.whl", hash = "sha256:fb7c2feaeca6976a3ffa31ec3236a6911fbc51aec9acc111de2aed99f244ade2"}, From 5fcdc041d1cd494aa9dc39438eaadffb0db22621 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Dec 2022 12:12:07 +0000 Subject: [PATCH 2/8] build(deps-dev): bump pre-commit from 2.20.0 to 2.21.0 Bumps [pre-commit](https://github.com/pre-commit/pre-commit) from 2.20.0 to 2.21.0. - [Release notes](https://github.com/pre-commit/pre-commit/releases) - [Changelog](https://github.com/pre-commit/pre-commit/blob/main/CHANGELOG.md) - [Commits](https://github.com/pre-commit/pre-commit/compare/v2.20.0...v2.21.0) --- updated-dependencies: - dependency-name: pre-commit dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- poetry.lock | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/poetry.lock b/poetry.lock index 5cf30084..011dcb3a 100644 --- a/poetry.lock +++ b/poetry.lock @@ -388,7 +388,7 @@ test = ["appdirs (==1.4.4)", "pytest (>=7.2)", "pytest-cov (>=4)", "pytest-mock [[package]] name = "pre-commit" -version = "2.20.0" +version = "2.21.0" description = "A framework for managing and maintaining multi-language pre-commit hooks." category = "dev" optional = false @@ -399,8 +399,7 @@ cfgv = ">=2.0.0" identify = ">=1.0.0" nodeenv = ">=0.11.1" pyyaml = ">=5.1" -toml = "*" -virtualenv = ">=20.0.8" +virtualenv = ">=20.10.0" [[package]] name = "pre-commit-hooks" @@ -967,6 +966,7 @@ jinxed = [ {file = "jinxed-1.2.0.tar.gz", hash = "sha256:032acda92d5c57cd216033cbbd53de731e6ed50deb63eb4781336ca55f72cda5"}, ] livereload = [ + {file = "livereload-2.6.3-py2.py3-none-any.whl", hash = "sha256:ad4ac6f53b2d62bb6ce1a5e6e96f1f00976a32348afedcb4b6d68df2a1d346e4"}, {file = "livereload-2.6.3.tar.gz", hash = "sha256:776f2f865e59fde56490a56bcc6773b6917366bce0c267c60ee8aaf1a0959869"}, ] markupsafe = [ @@ -1036,8 +1036,8 @@ platformdirs = [ {file = "platformdirs-2.6.0.tar.gz", hash = "sha256:b46ffafa316e6b83b47489d240ce17173f123a9b9c83282141c3daf26ad9ac2e"}, ] pre-commit = [ - {file = "pre_commit-2.20.0-py2.py3-none-any.whl", hash = "sha256:51a5ba7c480ae8072ecdb6933df22d2f812dc897d5fe848778116129a681aac7"}, - {file = "pre_commit-2.20.0.tar.gz", hash = "sha256:a978dac7bc9ec0bcee55c18a277d553b0f419d259dadb4b9418ff2d00eb43959"}, + {file = "pre_commit-2.21.0-py2.py3-none-any.whl", hash = "sha256:e2f91727039fc39a92f58a588a25b87f936de6567eed4f0e673e0507edc75bad"}, + {file = "pre_commit-2.21.0.tar.gz", hash = "sha256:31ef31af7e474a8d8995027fefdfcf509b5c913ff31f2015b4ec4beb26a6f658"}, ] pre-commit-hooks = [ {file = "pre_commit_hooks-4.4.0-py2.py3-none-any.whl", hash = "sha256:fc8837335476221ccccda3d176ed6ae29fe58753ce7e8b7863f5d0f987328fc6"}, From 4710cdf7a03cd7af7b70b270c622f0ab1e37a35d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 22 Dec 2022 12:11:17 +0000 Subject: [PATCH 3/8] build(deps-dev): bump isort from 5.11.3 to 5.11.4 Bumps [isort](https://github.com/pycqa/isort) from 5.11.3 to 5.11.4. - [Release notes](https://github.com/pycqa/isort/releases) - [Changelog](https://github.com/PyCQA/isort/blob/main/CHANGELOG.md) - [Commits](https://github.com/pycqa/isort/compare/5.11.3...5.11.4) --- updated-dependencies: - dependency-name: isort dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- poetry.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/poetry.lock b/poetry.lock index 011dcb3a..18c19c8d 100644 --- a/poetry.lock +++ b/poetry.lock @@ -268,7 +268,7 @@ testing = ["flake8 (<5)", "flufl.flake8", "importlib-resources (>=1.3)", "packag [[package]] name = "isort" -version = "5.11.3" +version = "5.11.4" description = "A Python utility / library to sort Python imports." category = "dev" optional = false @@ -954,8 +954,8 @@ importlib-metadata = [ {file = "importlib_metadata-5.1.0.tar.gz", hash = "sha256:d5059f9f1e8e41f80e9c56c2ee58811450c31984dfa625329ffd7c0dad88a73b"}, ] isort = [ - {file = "isort-5.11.3-py3-none-any.whl", hash = "sha256:83155ffa936239d986b0f190347a3f2285f42a9b9e1725c89d865b27dd0627e5"}, - {file = "isort-5.11.3.tar.gz", hash = "sha256:a8ca25fbfad0f7d5d8447a4314837298d9f6b23aed8618584c894574f626b64b"}, + {file = "isort-5.11.4-py3-none-any.whl", hash = "sha256:c033fd0edb91000a7f09527fe5c75321878f98322a77ddcc81adbd83724afb7b"}, + {file = "isort-5.11.4.tar.gz", hash = "sha256:6db30c5ded9815d813932c04c2f85a360bcdd35fed496f4d8f35495ef0a261b6"}, ] jinja2 = [ {file = "Jinja2-3.1.2-py3-none-any.whl", hash = "sha256:6088930bfe239f0e6710546ab9c19c9ef35e29792895fed6e6e31a023a182a61"}, From 1a7160b029bd02567c1bbdb7ee873ac0f34bfb85 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 8 Jan 2023 20:50:23 +0000 Subject: [PATCH 4/8] build(deps): bump sphinx from 5.3.0 to 6.1.2 in /docs Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 5.3.0 to 6.1.2. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v5.3.0...v6.1.2) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- docs/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/requirements.txt b/docs/requirements.txt index b30ce966..4ec63f34 100644 --- a/docs/requirements.txt +++ b/docs/requirements.txt @@ -1,3 +1,3 @@ furo==2022.12.7 myst_parser==0.18.1 -sphinx==5.3.0 +sphinx==6.1.2 From 997663314920428eb42156b0f367aec01b91fe4f Mon Sep 17 00:00:00 2001 From: Jan Wille Date: Sun, 8 Jan 2023 21:57:42 +0100 Subject: [PATCH 5/8] Version 3.1.2 minor version to patch security issue in dependency --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 7c8920c8..8c826d04 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "inquirer" -version = "3.1.1" +version = "3.1.2" description = "Collection of common interactive command line user interfaces, based on Inquirer.js" authors = ["Miguel Ángel García "] license = "MIT" From 2ff674a5f93b50534768fce0c9ca77892f5b752d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 11 Jan 2023 12:15:21 +0000 Subject: [PATCH 6/8] build(deps): bump sphinx from 6.1.2 to 6.1.3 in /docs Bumps [sphinx](https://github.com/sphinx-doc/sphinx) from 6.1.2 to 6.1.3. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v6.1.2...v6.1.3) --- updated-dependencies: - dependency-name: sphinx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- docs/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/requirements.txt b/docs/requirements.txt index 4ec63f34..939eb64e 100644 --- a/docs/requirements.txt +++ b/docs/requirements.txt @@ -1,3 +1,3 @@ furo==2022.12.7 myst_parser==0.18.1 -sphinx==6.1.2 +sphinx==6.1.3 From e149b31493389ed81522136efd206cb4fb5a3115 Mon Sep 17 00:00:00 2001 From: staticdev Date: Sun, 15 Jan 2023 22:10:18 +0100 Subject: [PATCH 7/8] Fix poetry constraints --- .github/workflows/constraints.txt | 1 - .github/workflows/documentation.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/tests.yml | 4 ++-- 4 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/constraints.txt b/.github/workflows/constraints.txt index e49bf459..6017f570 100644 --- a/.github/workflows/constraints.txt +++ b/.github/workflows/constraints.txt @@ -1,5 +1,4 @@ pip==22.3.1 nox==2022.11.21 nox-poetry==1.0.2 -poetry==1.2.2 virtualenv==20.17.1 diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index e9bbfde4..308751c0 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -29,7 +29,7 @@ jobs: pip --version - name: Install Poetry run: | - pipx install --pip-args=--constraint=.github/workflows/constraints.txt poetry + pipx install --pip-args=--constraint=.github/workflows/python-constraints.txt poetry poetry --version - name: Install Nox run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ea847283..1ee32325 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -28,7 +28,7 @@ jobs: - name: Install Poetry run: | - pip install --constraint=.github/workflows/constraints.txt poetry + pip install --constraint=.github/workflows/python-constraints.txt poetry poetry --version - name: Check if there is a parent commit diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 6d6fac57..2074c335 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -51,7 +51,7 @@ jobs: - name: Install Poetry run: | - pipx install --pip-args=--constraint=.github/workflows/constraints.txt poetry + pipx install --pip-args=--constraint=.github/workflows/python-constraints.txt poetry poetry --version - name: Install Nox @@ -112,7 +112,7 @@ jobs: - name: Install Poetry run: | - pipx install --pip-args=--constraint=.github/workflows/constraints.txt poetry + pipx install --pip-args=--constraint=.github/workflows/python-constraints.txt poetry poetry --version - name: Install Nox From e002957887a71adf36e94405d0d218f36a4a54ac Mon Sep 17 00:00:00 2001 From: staticdev Date: Sun, 15 Jan 2023 22:10:26 +0100 Subject: [PATCH 8/8] Fix poetry constraints --- .github/workflows/python-constraints.txt | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/workflows/python-constraints.txt diff --git a/.github/workflows/python-constraints.txt b/.github/workflows/python-constraints.txt new file mode 100644 index 00000000..7504ce60 --- /dev/null +++ b/.github/workflows/python-constraints.txt @@ -0,0 +1 @@ +poetry==1.3.2