Add comments about looming EOL issues for ansible and ansible-core

This adds even more evidence for why it is a good idea to go ahead and upgrade ansible and ansible-core, in addition to the vulnerability that pip-audit turned up. Co-authored-by: Nick M <[email protected]>
cisagov · Nov 20, 2024 · bd85261 · bd85261
1 parent cca133a
commit bd85261
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -181,6 +181,10 @@ repos:
           # hook identifies a vulnerability in ansible-core 2.16.13,
           # but all versions of ansible 9 have a dependency on
           # ~=2.16.X.
+          #
+          # It is also a good idea to go ahead and upgrade to version
+          # 10 since version 9 is going EOL at the end of November:
+          # https://endoflife.date/ansible
           # - ansible>=10,<11
           # ansible-core 2.16.3 through 2.16.6 suffer from the bug
           # discussed in ansible/ansible#82702, which breaks any
@@ -193,6 +197,11 @@ repos:
           # ansible-core to >=2.17 effectively also pins ansible to
           # >=10.
           #
+          # It is also a good idea to go ahead and upgrade to
+          # ansible-core 2.17 since security support for ansible-core
+          # 2.16 ends this month:
+          # https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix
+          #
           # Note that any changes made to this dependency must also be
           # made in requirements.txt in cisagov/skeleton-packer and
           # requirements-test.txt in cisagov/skeleton-ansible-role.