Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump up the lower bound on ansible-core #209

Merged
merged 3 commits into from
Nov 22, 2024
Merged

Bump up the lower bound on ansible-core #209

merged 3 commits into from
Nov 22, 2024

Conversation

jsf9k
Copy link
Member

@jsf9k jsf9k commented Nov 8, 2024
edited
Loading

🗣 Description

This pull request bumps up the lower bound on the ansible-core Python package.

See also cisagov/skeleton-generic#196 and the commits cisagov/skeleton-packer@26a8baf and cisagov/skeleton-packer@19fbaf3 in cisagov/skeleton-packer#376.

Supplants #208.

💭 Motivation and context

This is being done because the pip-audit pre-commit hook identifies a vulnerability in ansible-core version 2.16.13. Note that this requires that we bump up the version of ansible to version 10 since all versions of ansible 9 have a dependency on ansible-core~=2.16.X.

🧪 Testing

All automated tests pass.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All new and existing tests pass.

@jsf9k
Bump up the lower bound on ansible-core
46b874f 
This is being done because the pip-audit pre-commit hook identifies a
vulnerability in ansible-core version 2.16.13.  Note that this
requires that we bump up ansible to version 10 since all versions of
ansible 9 have a dependency on ~=2.16.X.
@jsf9k jsf9k added improvement This issue or pull request will add or improve functionality, maintainability, or ease of use dependencies Pull requests that update a dependency file security This issue or pull request addresses a security issue labels Nov 8, 2024
This was referenced Nov 8, 2024
Merged
Merged
@jsf9k jsf9k marked this pull request as ready for review November 8, 2024 19:54
@jsf9k jsf9k requested a review from a team November 8, 2024 19:54
@jsf9k jsf9k mentioned this pull request Nov 8, 2024
Merged
8 tasks
mcdonnnj
mcdonnnj reviewed Nov 13, 2024
View reviewed changes
requirements-test.txt Outdated Show resolved Hide resolved
@jsf9k jsf9k requested a review from mcdonnnj November 14, 2024 02:45
@jsf9k @mcdonnnj
Adjust pin for ansible-core
b5a06b4 
The pin of ansible-core was originally put in place because the
pip-audit pre-commit hook identifies a vulnerability in ansible-core
2.16.13.  Normally we would pin ansible-core accordingly (>2.16.13),
but the earlier pin of ansible>=10 effectively pins ansible-core to
>=2.17 so that's what we do here.

Co-authored-by: Nick M <[email protected]>
@jsf9k jsf9k force-pushed the improvement/bump-up-lower-bound-pin-for-ansible-core branch from 41e3dd4 to b5a06b4 Compare November 14, 2024 16:06
@jsf9k jsf9k mentioned this pull request Nov 19, 2024
Merged
2 tasks
@mcdonnnj mcdonnnj mentioned this pull request Nov 20, 2024
Merged
5 tasks
@jsf9k @mcdonnnj
Add comments about looming EOL issues for ansible and ansible-core
38081fd 
This adds even more evidence for why it is a good idea to go ahead and
upgrade ansible and ansible-core, in addition to the vulnerability
that pip-audit turned up.

Co-authored-by: Nick M <[email protected]>
@jsf9k jsf9k added this pull request to the merge queue Nov 22, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Nov 22, 2024
@jsf9k jsf9k added this pull request to the merge queue Nov 22, 2024
Merged via the queue into develop with commit b48fe5c Nov 22, 2024
53 checks passed
@jsf9k jsf9k deleted the improvement/bump-up-lower-bound-pin-for-ansible-core branch November 22, 2024 04:20
@jsf9k jsf9k mentioned this pull request Nov 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lwersiy lwersiy lwersiy approved these changes

@dv4harr10 dv4harr10 dv4harr10 approved these changes

@dav3r dav3r dav3r approved these changes

@felddy felddy Awaiting requested review from felddy felddy is a code owner

@mcdonnnj mcdonnnj Awaiting requested review from mcdonnnj mcdonnnj is a code owner

Assignees

@jsf9k jsf9k

@mcdonnnj mcdonnnj

Labels
dependencies Pull requests that update a dependency file improvement This issue or pull request will add or improve functionality, maintainability, or ease of use security This issue or pull request addresses a security issue
Projects
Next Kraken
Status: Done
Skeleton Maintenance
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jsf9k @dav3r @mcdonnnj @dv4harr10 @lwersiy