Add comments about looming EOL issues for ansible and ansible-core

This adds even more evidence for why it is a good idea to go ahead and upgrade ansible and ansible-core, in addition to the vulnerability that pip-audit turned up. Co-authored-by: Nick M <[email protected]>
cisagov · Nov 20, 2024 · 38081fd · 38081fd
1 parent b5a06b4
commit 38081fd
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/requirements-test.txt b/requirements-test.txt
@@ -13,6 +13,10 @@
 # identifies a vulnerability in ansible-core 2.16.13, but all versions
 # of ansible 9 have a dependency on ~=2.16.X.
 #
+# It is also a good idea to go ahead and upgrade to version 10 since
+# version 9 is going EOL at the end of November:
+# https://endoflife.date/ansible
+#
 # We have tested against version 10.  We want to avoid automatically
 # jumping to another major version without testing, since there are
 # often breaking changes across major versions.  This is the reason
@@ -28,6 +32,10 @@ ansible>=10,<11
 # accordingly (>2.16.13), but the above pin of ansible>=10 effectively
 # pins ansible-core to >=2.17 so that's what we do here.
 #
+# It is also a good idea to go ahead and upgrade to ansible-core 2.17
+# since security support for ansible-core 2.16 ends this month:
+# https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix
+#
 # Note that any changes made to this dependency must also be made in
 # requirements.txt in cisagov/skeleton-packer and
 # .pre-commit-config.yaml in cisagov/skeleton-generic.