Merge pull request #129 from monte-carlo-data/mrostan/vuln-369-revert

Revert changes introduced by v5.0.15

Dockerfile

@@ -79,11 +79,8 @@ RUN pip install --no-cache-dir --target "${LAMBDA_TASK_ROOT}" -r requirements.tx
 
 FROM public.ecr.aws/lambda/python:3.11 AS lambda
 
-# VULN-29: Base ECR image includes setuptools-56.0.0 which is vulnerable (CVE-2022-40897)
+# VULN-29: Base ECR image has setuptools-56.0.0 which is vulnerable (CVE-2022-40897)
 RUN pip install --no-cache-dir setuptools==68.0.0
-# VULN-369: Base ECR image includes urllib3-1.26.18 which is vulnerable (CVE-2024-37891)
-RUN pip install --no-cache-dir --upgrade urllib3==1.26.19
-RUN rm -rf /var/lang/lib/python3.11/site-packages/urllib3-1.26.18.dist-info
 
 # VULN-230 CWE-77
 RUN pip install --no-cache-dir --upgrade pip

requirements-azure.txt

@@ -12,15 +12,15 @@ aiosignal==1.3.1
     # via aiohttp
 asgiref==3.8.1
     # via opentelemetry-instrumentation-asgi
-attrs==23.2.0
+attrs==23.1.0
     # via
     #   -c requirements.txt
     #   aiohttp
 azure-common==1.1.28
     # via
     #   -c requirements.txt
     #   azure-mgmt-resource
-azure-core==1.30.2
+azure-core==1.29.5
     # via
     #   -c requirements.txt
     #   azure-core-tracing-opentelemetry
@@ -45,11 +45,11 @@ azure-mgmt-resource==23.0.1
     # via -r requirements-azure.in
 azure-monitor-opentelemetry==1.3.0
     # via -r requirements-azure.in
-azure-monitor-opentelemetry-exporter==1.0.0b27
+azure-monitor-opentelemetry-exporter==1.0.0b23
     # via azure-monitor-opentelemetry
 azure-monitor-query==1.2.1
     # via -r requirements-azure.in
-certifi==2024.6.2
+certifi==2023.11.17
     # via
     #   -c requirements.txt
     #   msrest
@@ -73,10 +73,8 @@ idna==3.7
     #   -c requirements.txt
     #   requests
     #   yarl
-importlib-metadata==7.1.0
-    # via
-    #   opentelemetry-api
-    #   opentelemetry-instrumentation-flask
+importlib-metadata==6.11.0
+    # via opentelemetry-api
 isodate==0.6.1
     # via
     #   -c requirements.txt
@@ -93,7 +91,7 @@ oauthlib==3.2.2
     # via
     #   -c requirements.txt
     #   requests-oauthlib
-opentelemetry-api==1.25.0
+opentelemetry-api==1.23.0
     # via
     #   azure-core-tracing-opentelemetry
     #   azure-monitor-opentelemetry-exporter
@@ -109,8 +107,7 @@ opentelemetry-api==1.25.0
     #   opentelemetry-instrumentation-urllib3
     #   opentelemetry-instrumentation-wsgi
     #   opentelemetry-sdk
-    #   opentelemetry-semantic-conventions
-opentelemetry-instrumentation==0.46b0
+opentelemetry-instrumentation==0.44b0
     # via
     #   opentelemetry-instrumentation-asgi
     #   opentelemetry-instrumentation-dbapi
@@ -122,35 +119,35 @@ opentelemetry-instrumentation==0.46b0
     #   opentelemetry-instrumentation-urllib
     #   opentelemetry-instrumentation-urllib3
     #   opentelemetry-instrumentation-wsgi
-opentelemetry-instrumentation-asgi==0.46b0
+opentelemetry-instrumentation-asgi==0.44b0
     # via opentelemetry-instrumentation-fastapi
-opentelemetry-instrumentation-dbapi==0.46b0
+opentelemetry-instrumentation-dbapi==0.44b0
     # via opentelemetry-instrumentation-psycopg2
-opentelemetry-instrumentation-django==0.46b0
+opentelemetry-instrumentation-django==0.44b0
     # via azure-monitor-opentelemetry
-opentelemetry-instrumentation-fastapi==0.46b0
+opentelemetry-instrumentation-fastapi==0.44b0
     # via azure-monitor-opentelemetry
-opentelemetry-instrumentation-flask==0.46b0
+opentelemetry-instrumentation-flask==0.44b0
     # via azure-monitor-opentelemetry
-opentelemetry-instrumentation-psycopg2==0.46b0
+opentelemetry-instrumentation-psycopg2==0.44b0
     # via azure-monitor-opentelemetry
-opentelemetry-instrumentation-requests==0.46b0
+opentelemetry-instrumentation-requests==0.44b0
     # via azure-monitor-opentelemetry
-opentelemetry-instrumentation-urllib==0.46b0
+opentelemetry-instrumentation-urllib==0.44b0
     # via azure-monitor-opentelemetry
-opentelemetry-instrumentation-urllib3==0.46b0
+opentelemetry-instrumentation-urllib3==0.44b0
     # via azure-monitor-opentelemetry
-opentelemetry-instrumentation-wsgi==0.46b0
+opentelemetry-instrumentation-wsgi==0.44b0
     # via
     #   opentelemetry-instrumentation-django
     #   opentelemetry-instrumentation-flask
-opentelemetry-resource-detector-azure==0.1.5
+opentelemetry-resource-detector-azure==0.1.3
     # via azure-monitor-opentelemetry
-opentelemetry-sdk==1.25.0
+opentelemetry-sdk==1.23.0
     # via
     #   azure-monitor-opentelemetry-exporter
     #   opentelemetry-resource-detector-azure
-opentelemetry-semantic-conventions==0.46b0
+opentelemetry-semantic-conventions==0.44b0
     # via
     #   opentelemetry-instrumentation-asgi
     #   opentelemetry-instrumentation-dbapi
@@ -162,7 +159,7 @@ opentelemetry-semantic-conventions==0.46b0
     #   opentelemetry-instrumentation-urllib3
     #   opentelemetry-instrumentation-wsgi
     #   opentelemetry-sdk
-opentelemetry-util-http==0.46b0
+opentelemetry-util-http==0.44b0
     # via
     #   opentelemetry-instrumentation-asgi
     #   opentelemetry-instrumentation-django
@@ -174,17 +171,15 @@ opentelemetry-util-http==0.46b0
     #   opentelemetry-instrumentation-wsgi
 orderedmultidict==1.0.1
     # via furl
-packaging==24.1
+packaging==23.2
     # via
     #   -c requirements.txt
     #   opentelemetry-instrumentation-flask
-psutil==5.9.8
-    # via azure-monitor-opentelemetry-exporter
-python-dateutil==2.9.0.post0
+python-dateutil==2.8.2
     # via
     #   -c requirements.txt
     #   azure-functions-durable
-requests==2.32.3
+requests==2.32.2
     # via
     #   -c requirements.txt
     #   azure-core
@@ -201,13 +196,13 @@ six==1.16.0
     #   isodate
     #   orderedmultidict
     #   python-dateutil
-typing-extensions==4.12.2
+typing-extensions==4.9.0
     # via
     #   -c requirements.txt
     #   azure-core
     #   azure-monitor-query
     #   opentelemetry-sdk
-urllib3==2.2.2
+urllib3==2.0.7
     # via
     #   -c requirements.txt
     #   requests
@@ -219,7 +214,7 @@ wrapt==1.16.0
     #   opentelemetry-instrumentation-urllib3
 yarl==1.9.4
     # via aiohttp
-zipp==3.19.2
+zipp==3.18.1
     # via importlib-metadata
 
 # The following packages are considered to be unsafe in a requirements file:

requirements-cloudrun.in

@@ -1,3 +1,3 @@
 -c requirements.txt
-google-cloud-logging==3.10.0
-google-cloud-run==0.10.5
+google-cloud-logging==3.6.0
+google-cloud-run==0.9.1

requirements-cloudrun.txt

@@ -4,77 +4,72 @@
 #
 #    pip-compile requirements-cloudrun.in
 #
-cachetools==5.3.3
+cachetools==5.3.2
     # via
     #   -c requirements.txt
     #   google-auth
-certifi==2024.6.2
+certifi==2023.11.17
     # via
     #   -c requirements.txt
     #   requests
 charset-normalizer==3.3.2
     # via
     #   -c requirements.txt
     #   requests
-google-api-core[grpc]==2.19.1
+google-api-core[grpc]==2.15.0
     # via
     #   -c requirements.txt
     #   google-api-core
     #   google-cloud-appengine-logging
     #   google-cloud-core
     #   google-cloud-logging
     #   google-cloud-run
-google-auth==2.30.0
+google-auth==2.25.2
     # via
     #   -c requirements.txt
     #   google-api-core
-    #   google-cloud-appengine-logging
     #   google-cloud-core
-    #   google-cloud-logging
-    #   google-cloud-run
-google-cloud-appengine-logging==1.4.3
+google-cloud-appengine-logging==1.4.0
     # via google-cloud-logging
 google-cloud-audit-log==0.2.5
     # via google-cloud-logging
 google-cloud-core==2.4.1
     # via
     #   -c requirements.txt
     #   google-cloud-logging
-google-cloud-logging==3.10.0
+google-cloud-logging==3.6.0
     # via -r requirements-cloudrun.in
-google-cloud-run==0.10.5
+google-cloud-run==0.9.1
     # via -r requirements-cloudrun.in
-googleapis-common-protos[grpc]==1.63.2
+googleapis-common-protos[grpc]==1.62.0
     # via
     #   -c requirements.txt
     #   google-api-core
     #   google-cloud-audit-log
     #   grpc-google-iam-v1
     #   grpcio-status
-grpc-google-iam-v1==0.13.1
+grpc-google-iam-v1==0.13.0
     # via
     #   google-cloud-logging
     #   google-cloud-run
-grpcio==1.64.1
+grpcio==1.60.0
     # via
     #   google-api-core
     #   googleapis-common-protos
     #   grpc-google-iam-v1
     #   grpcio-status
-grpcio-status==1.62.2
+grpcio-status==1.60.0
     # via google-api-core
 idna==3.7
     # via
     #   -c requirements.txt
     #   requests
-proto-plus==1.24.0
+proto-plus==1.23.0
     # via
-    #   -c requirements.txt
-    #   google-api-core
     #   google-cloud-appengine-logging
     #   google-cloud-logging
     #   google-cloud-run
-protobuf==4.25.3
+protobuf==4.25.1
     # via
     #   -c requirements.txt
     #   google-api-core
@@ -86,24 +81,24 @@ protobuf==4.25.3
     #   grpc-google-iam-v1
     #   grpcio-status
     #   proto-plus
-pyasn1==0.6.0
+pyasn1==0.5.1
     # via
     #   -c requirements.txt
     #   pyasn1-modules
     #   rsa
-pyasn1-modules==0.4.0
+pyasn1-modules==0.3.0
     # via
     #   -c requirements.txt
     #   google-auth
-requests==2.32.3
+requests==2.32.2
     # via
     #   -c requirements.txt
     #   google-api-core
 rsa==4.9
     # via
     #   -c requirements.txt
     #   google-auth
-urllib3==2.2.2
+urllib3==2.0.7
     # via
     #   -c requirements.txt
     #   requests

requirements-dev.txt

@@ -6,7 +6,7 @@
 #
 black==24.3.0
     # via -r requirements-dev.in
-blinker==1.8.2
+blinker==1.7.0
     # via
     #   -c requirements.txt
     #   flask
@@ -19,7 +19,7 @@ click==8.1.7
     #   flask
 distlib==0.3.8
     # via virtualenv
-filelock==3.15.4
+filelock==3.13.1
     # via
     #   -c requirements.txt
     #   virtualenv
@@ -29,19 +29,19 @@ flask==2.3.3
     #   flask-swagger
 flask-swagger==0.2.14
     # via -r requirements-dev.in
-identify==2.5.36
+identify==2.5.33
     # via pre-commit
 iniconfig==2.0.0
     # via pytest
-itsdangerous==2.2.0
+itsdangerous==2.1.2
     # via
     #   -c requirements.txt
     #   flask
 jinja2==3.1.4
     # via
     #   -c requirements.txt
     #   flask
-markupsafe==2.1.5
+markupsafe==2.1.3
     # via
     #   -c requirements.txt
     #   jinja2
@@ -50,23 +50,23 @@ mypy-extensions==1.0.0
     # via
     #   -c requirements.txt
     #   black
-nodeenv==1.9.1
+nodeenv==1.8.0
     # via
     #   pre-commit
     #   pyright
-packaging==24.1
+packaging==23.2
     # via
     #   -c requirements.txt
     #   black
     #   pytest
 pathspec==0.12.1
     # via black
-platformdirs==4.2.2
+platformdirs==3.11.0
     # via
     #   -c requirements.txt
     #   black
     #   virtualenv
-pluggy==1.5.0
+pluggy==1.3.0
     # via pytest
 pre-commit==3.5.0
     # via -r requirements-dev.in
@@ -80,9 +80,12 @@ pyyaml==6.0.1
     # via
     #   flask-swagger
     #   pre-commit
-virtualenv==20.26.3
+virtualenv==20.25.0
     # via pre-commit
 werkzeug==3.0.3
     # via
     #   -c requirements.txt
     #   flask
+
+# The following packages are considered to be unsafe in a requirements file:
+# setuptools