From 3901ab2c9ee58587d206d21252f76b0d4fefb003 Mon Sep 17 00:00:00 2001 From: Quentin Monnet Date: Mon, 16 Jan 2023 13:56:21 +0000 Subject: [PATCH] docs: Drop sphinxcontrib-openapi fork, switch back to upstream [ upstream commit e4889d72f9a8f86bee47327dbab7b46773607a7e ] Once upon a time, Cilium docs used the openapi Sphinx add-on to generate its API reference based on the code. And things were good. One day, Dependabot raised a security alert, stating that Mistune v2.0.2 was vulnerable to catastrophic backtracking [0] - this is a regex parsing thing. Mistune was a dependency to m2r, an add-on to parse Markdown in Sphinx, which in turn was a dependency to openapi. The easy path would have been to update m2r to use the latest, fixed Mistune version; but m2r was incompatible with Mistune >= 2.0.0, and also it was no longer in development. There was a fork, m2r2, which had little activity, and would avoid the security issue by very simply pinning the Mistune version to 0.8.4 (which would either fail to build Cilium's reference correctly, or bring some incompatibilities with other dependencies, at this point the narrator does not remember for sure). There was a fork of the fork, sphinx-mdinclude. We could use that project to update openapi, except that it was not compatible with recent versions of docutils, and that this would cause openapi's test suite to fail to pass. ... So we ended up forking the openapi repository to update the dependency to sphinx-mdinclude locally, and this is what we've been using since last summer. And things were good again. But things are even better when they go upstream [citation needed]. We also filed the issue for docutils compatibility in sphinx-mdinclude [1]. It was fixed (thanks!). We submitted a PR to have openapi switch to sphinx-mdinclude [2]. It was adjusted (thanks!), merged, and a new tag was created. Now at last, we can switch back to the upstream version of openapi! [And the build system lived happily ever after.] [0]: https://github.com/advisories/GHSA-fw3v-x4f2-v673 [1]: https://github.com/omnilib/sphinx-mdinclude/issues/8 [2]: https://github.com/sphinx-contrib/openapi/pull/127 I did _not_ run `make -C Documentation update-requirements`, because the resulting changes seemed to break the Netlify preview [3]. I stuck to openapi and bumped sphinx-mdinclude to >= 0.5.2, as required by openapi. [3] https://app.netlify.com/sites/docs-cilium-io/deploys/63c55fcc5531c6000838b87c Signed-off-by: Quentin Monnet Signed-off-by: Paul Chaignon --- Documentation/requirements.txt | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Documentation/requirements.txt b/Documentation/requirements.txt index 1a94b528508f4..2492d0b896bd6 100644 --- a/Documentation/requirements.txt +++ b/Documentation/requirements.txt @@ -24,13 +24,11 @@ sphinx-autobuild==2021.3.14 git+https://github.com/cilium/sphinx_rtd_theme.git@3bd69f33e7b2af2d0173fd997ec7ad21ce19ae3b sphinxcontrib-googleanalytics==0.3 sphinxcontrib-httpdomain==1.8.0 -# Fork openapi until it uses something newer than unmaintained m2r -# (See git logs for details) -git+https://github.com/cilium/openapi.git@mdinclude sphinxcontrib-spelling==7.3.2 sphinxcontrib-websupport==1.2.4 sphinx-tabs==3.3.1 sphinx-version-warning==1.1.2 +sphinxcontrib-openapi==0.8.0 typing==3.7.4.3 urllib3==1.26.8 yamllint==1.26.3