From c23265d354e611fbd0ddd797d54ed86940e72d90 Mon Sep 17 00:00:00 2001 From: Ken Lewerentz Date: Tue, 3 Sep 2024 08:40:30 +0700 Subject: [PATCH 1/3] Pin jwcrypto and requests libraries to ensure safe version is used --- requirements.txt | 2 ++ spp_base/__manifest__.py | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 693b9f63..807cb8b5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -8,12 +8,14 @@ fastapi==0.112.2 geojson jsonschema jwcrypto +jwcrypto>=1.5.6 numpy>=1.22.2 pyjwt>=2.4.0 pyproj python-magic pytz qrcode +requests>=2.32.2 shapely simplejson swagger_spec_validator diff --git a/spp_base/__manifest__.py b/spp_base/__manifest__.py index 340b1eca..8f198709 100644 --- a/spp_base/__manifest__.py +++ b/spp_base/__manifest__.py @@ -33,7 +33,7 @@ "spp_farmer_registry_base", ], "external_dependencies": { - "python": ["fastapi==0.112.2", "extendable_pydantic==1.3.0", "numpy>=1.22.2", "urllib3>=2.2.2", "zipp>=3.19.1"] + "python": ["fastapi==0.112.2", "extendable_pydantic==1.3.0", "numpy>=1.22.2", "urllib3>=2.2.2", "zipp>=3.19.1", "jwcrypto>=1.5.6", "requests>=2.32.2"] }, # not directly required, pinned by Snyk to avoid a vulnerability and for fastapi, compatibility issues. "data": [ "data/global_roles.xml", From a38c16cdfbf2e290aaf407ab5a71ded4ca975242 Mon Sep 17 00:00:00 2001 From: Ken Lewerentz Date: Tue, 3 Sep 2024 08:54:33 +0700 Subject: [PATCH 2/3] Pin jwcrypto and requests libraries to ensure safe version is used --- requirements.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 807cb8b5..e1f1abb1 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7,7 +7,6 @@ faker fastapi==0.112.2 geojson jsonschema -jwcrypto jwcrypto>=1.5.6 numpy>=1.22.2 pyjwt>=2.4.0 From bb62a74be92858ebdbe5ce651b8779393b589ba0 Mon Sep 17 00:00:00 2001 From: Ken Lewerentz Date: Wed, 8 Jan 2025 14:55:07 +0000 Subject: [PATCH 3/3] Adjusting spp_encryption to use the same version of jwcrypto as spp_base --- openspp-requirements.txt | 2 +- spp_base/__manifest__.py | 10 +++++++++- spp_encryption/__manifest__.py | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/openspp-requirements.txt b/openspp-requirements.txt index 61de3e46..cc04582b 100644 --- a/openspp-requirements.txt +++ b/openspp-requirements.txt @@ -81,7 +81,7 @@ bravado_core faker geojson jsonschema -jwcrypto +jwcrypto>=1.5.6 pyjwt>=2.4.0 pyproj python-magic diff --git a/spp_base/__manifest__.py b/spp_base/__manifest__.py index 8f198709..fa3986fd 100644 --- a/spp_base/__manifest__.py +++ b/spp_base/__manifest__.py @@ -33,7 +33,15 @@ "spp_farmer_registry_base", ], "external_dependencies": { - "python": ["fastapi==0.112.2", "extendable_pydantic==1.3.0", "numpy>=1.22.2", "urllib3>=2.2.2", "zipp>=3.19.1", "jwcrypto>=1.5.6", "requests>=2.32.2"] + "python": [ + "fastapi==0.112.2", + "extendable_pydantic==1.3.0", + "numpy>=1.22.2", + "urllib3>=2.2.2", + "zipp>=3.19.1", + "jwcrypto>=1.5.6", + "requests>=2.32.2", + ] }, # not directly required, pinned by Snyk to avoid a vulnerability and for fastapi, compatibility issues. "data": [ "data/global_roles.xml", diff --git a/spp_encryption/__manifest__.py b/spp_encryption/__manifest__.py index 39925d91..96c4eb91 100644 --- a/spp_encryption/__manifest__.py +++ b/spp_encryption/__manifest__.py @@ -9,7 +9,7 @@ "development_status": "Beta", "maintainers": ["jeremi", "gonzalesedwin1123"], "depends": ["g2p_encryption"], - "external_dependencies": {"python": ["jwcrypto"]}, + "external_dependencies": {"python": ["jwcrypto>=1.5.6"]}, "data": ["views/encryption_provider.xml"], "assets": {}, "demo": [],