diff mbox series

github version complaints about the gitlab CI requirements.txt

Message ID CAHk-=wjTGzKGcEmSW98j7kZin71x3yLFEuQS-2VP2pB+qxCwoA@mail.gmail.com (mailing list archive)
State New, archived
Headers show
Series github version complaints about the gitlab CI requirements.txt | expand

Commit Message

Linus Torvalds Nov. 12, 2023, 8:33 p.m. UTC
So every time I push to my github mirror, github now ends up having a
'dependabot' thing that warns about some of the CI version
requirements for the gitlab automated testing file.

It wants to update the pip requirements from 23.2.1 to 23.3

 - When installing a package from a Mercurial VCS URL, e.g. pip install
   hg+..., with pip prior to v23.3, the specified Mercurial revision
   could be used to inject arbitrary configuration options to the hg
   clone call (e.g. --config). Controlling the Mercurial configuration
   can modify how and which repository is installed. This vulnerability
   does not affect users who aren't installing from Mercurial.

and upgrade the urllib3 requirements from 2.0.4 to 2.0.7:

 - urllib3's request body not stripped after redirect from 303 status
   changes request method to GET

 - `Cookie` HTTP header isn't stripped on cross-origin redirects

And it's not like any of this looks like a big deal, but I'd like to
shut up the messages I get.

I can either just close those issues, or I can apply a patch something
like the attached (which also adds a missing newline at the end).

I thought I should ask the people who actually set this up. Comments?

               Linus

Comments

Helen Mae Koike Fornazier Nov. 13, 2023, 12:01 p.m. UTC | #1
Hi Linus,

On 12/11/2023 17:33, Linus Torvalds wrote:
> So every time I push to my github mirror, github now ends up having a
> 'dependabot' thing that warns about some of the CI version
> requirements for the gitlab automated testing file.
> 
> It wants to update the pip requirements from 23.2.1 to 23.3
> 
>   - When installing a package from a Mercurial VCS URL, e.g. pip install
>     hg+..., with pip prior to v23.3, the specified Mercurial revision
>     could be used to inject arbitrary configuration options to the hg
>     clone call (e.g. --config). Controlling the Mercurial configuration
>     can modify how and which repository is installed. This vulnerability
>     does not affect users who aren't installing from Mercurial.
> 
> and upgrade the urllib3 requirements from 2.0.4 to 2.0.7:
> 
>   - urllib3's request body not stripped after redirect from 303 status
>     changes request method to GET
> 
>   - `Cookie` HTTP header isn't stripped on cross-origin redirects
> 
> And it's not like any of this looks like a big deal, but I'd like to
> shut up the messages I get.
> 
> I can either just close those issues, or I can apply a patch something
> like the attached (which also adds a missing newline at the end).
> 
> I thought I should ask the people who actually set this up. Comments?

I just tested your attached patch and looks fine, the scripts with those
requirements worked as expected, so please go ahead with your patch with
Tested-by: Helen Koike <helen.koike@collabora.com>

Now I'm thinking how to prevent those warnings in the future.

Thank you,
Helen

> 
>                 Linus
diff mbox series

Patch

 drivers/gpu/drm/ci/xfails/requirements.txt | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt
index d8856d1581fd..e9994c9db799 100644
--- a/drivers/gpu/drm/ci/xfails/requirements.txt
+++ b/drivers/gpu/drm/ci/xfails/requirements.txt
@@ -5,7 +5,7 @@  termcolor==2.3.0
 certifi==2023.7.22
 charset-normalizer==3.2.0
 idna==3.4
-pip==23.2.1
+pip==23.3
 python-gitlab==3.15.0
 requests==2.31.0
 requests-toolbelt==1.0.0
@@ -13,5 +13,5 @@  ruamel.yaml==0.17.32
 ruamel.yaml.clib==0.2.7
 setuptools==68.0.0
 tenacity==8.2.3
-urllib3==2.0.4
-wheel==0.41.1
\ No newline at end of file
+urllib3==2.0.7
+wheel==0.41.1