From 20e32f2d4ebdbc90745f67629cedd7db403cc63b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 19:46:21 +0000 Subject: [PATCH 1/6] Bump openapi-core from 0.19.3 to 0.19.4 Bumps [openapi-core](https://github.com/python-openapi/openapi-core) from 0.19.3 to 0.19.4. - [Release notes](https://github.com/python-openapi/openapi-core/releases) - [Commits](https://github.com/python-openapi/openapi-core/compare/0.19.3...0.19.4) --- updated-dependencies: - dependency-name: openapi-core dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- requirements-apps-api.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-apps-api.txt b/requirements-apps-api.txt index 6d6e51711..c96d355c5 100644 --- a/requirements-apps-api.txt +++ b/requirements-apps-api.txt @@ -1,7 +1,7 @@ flask==2.2.5 Flask-Cors==4.0.1 jsonschema==4.23.0 -openapi-core==0.19.3 +openapi-core==0.19.4 prance==23.6.21.0 PyJWT==2.9.0 requests==2.32.3 From ca6c10596ecfbf348d32a40c00ec68578de99092 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 19:46:28 +0000 Subject: [PATCH 2/6] Bump boto3 from 1.35.6 to 1.35.10 Bumps [boto3](https://github.com/boto/boto3) from 1.35.6 to 1.35.10. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](https://github.com/boto/boto3/compare/1.35.6...1.35.10) --- updated-dependencies: - dependency-name: boto3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- requirements-all.txt | 2 +- requirements-apps-disable-private-dns.txt | 2 +- requirements-apps-start-execution-manager.txt | 2 +- requirements-apps-start-execution-worker.txt | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/requirements-all.txt b/requirements-all.txt index dfbcdcf3a..511d2424a 100644 --- a/requirements-all.txt +++ b/requirements-all.txt @@ -5,7 +5,7 @@ -r requirements-apps-start-execution-worker.txt -r requirements-apps-disable-private-dns.txt -r requirements-apps-update-db.txt -boto3==1.35.6 +boto3==1.35.10 jinja2==3.1.4 moto[dynamodb]==5.0.12 pytest==8.3.2 diff --git a/requirements-apps-disable-private-dns.txt b/requirements-apps-disable-private-dns.txt index 0abc8dfb1..a2119d65e 100644 --- a/requirements-apps-disable-private-dns.txt +++ b/requirements-apps-disable-private-dns.txt @@ -1 +1 @@ -boto3==1.35.6 +boto3==1.35.10 diff --git a/requirements-apps-start-execution-manager.txt b/requirements-apps-start-execution-manager.txt index 079b6cdeb..e98039768 100644 --- a/requirements-apps-start-execution-manager.txt +++ b/requirements-apps-start-execution-manager.txt @@ -1,3 +1,3 @@ -boto3==1.35.6 +boto3==1.35.10 ./lib/dynamo/ ./lib/lambda_logging/ diff --git a/requirements-apps-start-execution-worker.txt b/requirements-apps-start-execution-worker.txt index 9749fb163..3dbc5dad3 100644 --- a/requirements-apps-start-execution-worker.txt +++ b/requirements-apps-start-execution-worker.txt @@ -1,2 +1,2 @@ -boto3==1.35.6 +boto3==1.35.10 ./lib/lambda_logging/ From d231d02449d3451afc4a3bcb7d514b8458e90860 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 19:46:31 +0000 Subject: [PATCH 3/6] Bump flask-cors from 4.0.1 to 5.0.0 Bumps [flask-cors](https://github.com/corydolphin/flask-cors) from 4.0.1 to 5.0.0. - [Release notes](https://github.com/corydolphin/flask-cors/releases) - [Changelog](https://github.com/corydolphin/flask-cors/blob/main/CHANGELOG.md) - [Commits](https://github.com/corydolphin/flask-cors/compare/4.0.1...5.0.0) --- updated-dependencies: - dependency-name: flask-cors dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- requirements-apps-api.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-apps-api.txt b/requirements-apps-api.txt index 6d6e51711..718c3abe8 100644 --- a/requirements-apps-api.txt +++ b/requirements-apps-api.txt @@ -1,5 +1,5 @@ flask==2.2.5 -Flask-Cors==4.0.1 +Flask-Cors==5.0.0 jsonschema==4.23.0 openapi-core==0.19.3 prance==23.6.21.0 From 468d5a71ee06302da1d67053179bcc7d7a8e4954 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 19:46:36 +0000 Subject: [PATCH 4/6] Bump setuptools from 73.0.1 to 74.1.0 Bumps [setuptools](https://github.com/pypa/setuptools) from 73.0.1 to 74.1.0. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v73.0.1...v74.1.0) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- requirements-all.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-all.txt b/requirements-all.txt index dfbcdcf3a..37e6495e9 100644 --- a/requirements-all.txt +++ b/requirements-all.txt @@ -15,6 +15,6 @@ flake8==7.1.1 flake8-import-order==0.18.2 flake8-blind-except==0.2.1 flake8-builtins==2.5.0 -setuptools==73.0.1 +setuptools==74.1.0 openapi-spec-validator==0.7.1 cfn-lint==1.10.3 From 9c4fd7d4c95f92a58d41027f5aa1c005473d97cd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 2 Sep 2024 19:46:40 +0000 Subject: [PATCH 5/6] Bump cfn-lint from 1.10.3 to 1.11.1 Bumps [cfn-lint](https://github.com/aws-cloudformation/cfn-lint) from 1.10.3 to 1.11.1. - [Release notes](https://github.com/aws-cloudformation/cfn-lint/releases) - [Changelog](https://github.com/aws-cloudformation/cfn-lint/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws-cloudformation/cfn-lint/compare/v1.10.3...v1.11.1) --- updated-dependencies: - dependency-name: cfn-lint dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- requirements-all.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-all.txt b/requirements-all.txt index dfbcdcf3a..0dd5dc0df 100644 --- a/requirements-all.txt +++ b/requirements-all.txt @@ -17,4 +17,4 @@ flake8-blind-except==0.2.1 flake8-builtins==2.5.0 setuptools==73.0.1 openapi-spec-validator==0.7.1 -cfn-lint==1.10.3 +cfn-lint==1.11.1 From df90f8e4954edb023341d4ad445615fca8ef295c Mon Sep 17 00:00:00 2001 From: Andrew Johnston Date: Tue, 3 Sep 2024 08:41:10 -0800 Subject: [PATCH 6/6] Update CHANGELOG.md for v7.8.1 --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fde59df15..35815f441 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [7.8.1] + +### Fixed +- Upgraded to flask-cors v5.0.0 from v4.0.1. Resolves [CVE-2024-6221](https://github.com/ASFHyP3/hyp3/security/dependabot/17). ## [7.8.0]