From patchwork Sun Nov 12 20:33:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Linus Torvalds X-Patchwork-Id: 13453410 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 2B774C4332F for ; Sun, 12 Nov 2023 20:33:27 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 97B5610E0BF; Sun, 12 Nov 2023 20:33:26 +0000 (UTC) Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) by gabe.freedesktop.org (Postfix) with ESMTPS id 6ABF410E0BF for ; Sun, 12 Nov 2023 20:33:24 +0000 (UTC) Received: by mail-lj1-x232.google.com with SMTP id 38308e7fff4ca-2c5210a1515so52619691fa.0 for ; Sun, 12 Nov 2023 12:33:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; t=1699821202; x=1700426002; darn=lists.freedesktop.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=PyC1nR2+1KOgDTeitjMxXYmiTa5//EBoJYZ839GCYBc=; b=DIHZKKNyOAMmZUhHM4EEr/YU1WJ2krIG8MdWyuBw5z3CEFblSWlbSK2EEP6NfXqw+x eUTcaJ4ZAJCrSrMdYAs/+EJUPaUrClbY2lHEnj5NJ8BT4eI8Oq/5HhgERUTPtWJUA+Os BDlqXoBqQwKK/9nRfw5KGlSbDFhzQU8HT1g0I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699821202; x=1700426002; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=PyC1nR2+1KOgDTeitjMxXYmiTa5//EBoJYZ839GCYBc=; b=NRVeIlt9yCNZtrz3/5IpU+2DWaq1GCkk2OkymCX35mVxdE8o3LMv3k+aeE+YZke9th mdcT9DZIrs+IjL/bVPxpDUYkqZt06DbHtEWbAyyPpEWriAERdDFl+1SWh977NMvmptRQ IL7ziNixHofl8r8GmAD9K6IvekI7G8nfJ7R+m0dOAzMIcspWGZ8fQUEf29AJEVRGjQ1s WWGzkjuQ17NFkZeJhH+MTlZ19Zjd0alQXREi5bVizJUqLPSL3XO8VYTmJ8LuLDvlNIWr aYVDAYqj1WLQyIf3VFDykInOhPPNXKsmzy3f2n2JsWvuI4IkksMSUqnxNhihAByJCTQD zERQ== X-Gm-Message-State: AOJu0YxT+n9u7BCm6UeXpOc+nGT/FtSXGzh4Nol/vsiVJnCLPJPebORI bWrowICN+7YlvzyQAAP+lFLNy06R4p2Z4lTfJs3W4A== X-Google-Smtp-Source: AGHT+IGjQ7UR7RK4Z12EsLxqIG5H2HoQEkr5BKpTw4+VEsxtBAdS9FxAjrvmX/3Je28NZhb0pvh3kA== X-Received: by 2002:a2e:8310:0:b0:2c6:ef8d:b49d with SMTP id a16-20020a2e8310000000b002c6ef8db49dmr2979223ljh.24.1699821202302; Sun, 12 Nov 2023 12:33:22 -0800 (PST) Received: from mail-lj1-f182.google.com (mail-lj1-f182.google.com. [209.85.208.182]) by smtp.gmail.com with ESMTPSA id h15-20020a2ea48f000000b002b70a64d4desm729871lji.46.2023.11.12.12.33.20 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 12 Nov 2023 12:33:21 -0800 (PST) Received: by mail-lj1-f182.google.com with SMTP id 38308e7fff4ca-2c5039d4e88so52423831fa.3 for ; Sun, 12 Nov 2023 12:33:20 -0800 (PST) X-Received: by 2002:ac2:47fc:0:b0:507:ac56:66a0 with SMTP id b28-20020ac247fc000000b00507ac5666a0mr3043577lfp.56.1699821200232; Sun, 12 Nov 2023 12:33:20 -0800 (PST) MIME-Version: 1.0 From: Linus Torvalds Date: Sun, 12 Nov 2023 12:33:02 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: github version complaints about the gitlab CI requirements.txt To: Helen Koike , Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , Daniel Vetter , David Heidelberg , Vignesh Raman X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: dri-devel Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" So every time I push to my github mirror, github now ends up having a 'dependabot' thing that warns about some of the CI version requirements for the gitlab automated testing file. It wants to update the pip requirements from 23.2.1 to 23.3 - When installing a package from a Mercurial VCS URL, e.g. pip install hg+..., with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the hg clone call (e.g. --config). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. and upgrade the urllib3 requirements from 2.0.4 to 2.0.7: - urllib3's request body not stripped after redirect from 303 status changes request method to GET - `Cookie` HTTP header isn't stripped on cross-origin redirects And it's not like any of this looks like a big deal, but I'd like to shut up the messages I get. I can either just close those issues, or I can apply a patch something like the attached (which also adds a missing newline at the end). I thought I should ask the people who actually set this up. Comments? Linus Tested-by: Helen Koike drivers/gpu/drm/ci/xfails/requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/ci/xfails/requirements.txt b/drivers/gpu/drm/ci/xfails/requirements.txt index d8856d1581fd..e9994c9db799 100644 --- a/drivers/gpu/drm/ci/xfails/requirements.txt +++ b/drivers/gpu/drm/ci/xfails/requirements.txt @@ -5,7 +5,7 @@ termcolor==2.3.0 certifi==2023.7.22 charset-normalizer==3.2.0 idna==3.4 -pip==23.2.1 +pip==23.3 python-gitlab==3.15.0 requests==2.31.0 requests-toolbelt==1.0.0 @@ -13,5 +13,5 @@ ruamel.yaml==0.17.32 ruamel.yaml.clib==0.2.7 setuptools==68.0.0 tenacity==8.2.3 -urllib3==2.0.4 -wheel==0.41.1 \ No newline at end of file +urllib3==2.0.7 +wheel==0.41.1