Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump up the lower bound on ansible-core #196

Merged
merged 3 commits into from
Nov 20, 2024
Merged

Bump up the lower bound on ansible-core #196

merged 3 commits into from
Nov 20, 2024

Conversation

jsf9k
Copy link
Member

@jsf9k jsf9k commented Nov 8, 2024
edited
Loading

🗣 Description

This pull request bumps up the lower bound on the ansible-core Python package.

See also cisagov/skeleton-ansible-role#209 and the commits cisagov/skeleton-packer@26a8baf and cisagov/skeleton-packer@19fbaf3 in cisagov/skeleton-packer#376.

💭 Motivation and context

This is being done because the pip-audit pre-commit hook identifies a vulnerability in ansible-core version 2.16.13. Note that this requires that we bump up the version of ansible to version 10 since all versions of ansible 9 have a dependency on ansible-core~=2.16.X.

🧪 Testing

All automated tests pass.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All new and existing tests pass.

@jsf9k
Bump up the lower bound on ansible-core
12a91ad 
This is being done because the pip-audit pre-commit hook identifies a
vulnerability in ansible-core version 2.16.13.  Note that this
requires that we bump up ansible to version 10 since all versions of
ansible 9 have a dependency on ~=2.16.X.
@jsf9k jsf9k added improvement This issue or pull request will add or improve functionality, maintainability, or ease of use dependencies Pull requests that update a dependency file security This issue or pull request addresses a security issue labels Nov 8, 2024
@jsf9k jsf9k marked this pull request as ready for review November 8, 2024 18:47
@jsf9k jsf9k requested a review from a team November 8, 2024 18:47
This was referenced Nov 8, 2024
Merged
Merged
mcdonnnj
mcdonnnj reviewed Nov 13, 2024
View reviewed changes
.pre-commit-config.yaml Outdated Show resolved Hide resolved
@jsf9k @mcdonnnj
Adjust pin for ansible-core
cca133a 
The pin of ansible-core was originally put in place because the
pip-audit pre-commit hook identifies a vulnerability in ansible-core
2.16.13.  Normally we would pin ansible-core to >2.16.13, but in the
spirit of the earlier, optional pin of ansible>=10 we pin ansible-core
to >=2.17.  This effectively also pins ansible to >=10.

Co-authored-by: Nick M <[email protected]>
@jsf9k jsf9k requested a review from mcdonnnj November 14, 2024 02:45
@mcdonnnj mcdonnnj mentioned this pull request Nov 20, 2024
Merged
5 tasks
@jsf9k @mcdonnnj
Add comments about looming EOL issues for ansible and ansible-core
bd85261 
This adds even more evidence for why it is a good idea to go ahead and
upgrade ansible and ansible-core, in addition to the vulnerability
that pip-audit turned up.

Co-authored-by: Nick M <[email protected]>
@jsf9k jsf9k added this pull request to the merge queue Nov 20, 2024
Merged via the queue into develop with commit f7ccd9a Nov 20, 2024
4 checks passed
@jsf9k jsf9k deleted the improvement/add-a-lower-bound-pin-for-ansible-core branch November 20, 2024 18:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mcdonnnj mcdonnnj mcdonnnj left review comments

@dv4harr10 dv4harr10 dv4harr10 approved these changes

@dav3r dav3r dav3r approved these changes

@felddy felddy Awaiting requested review from felddy felddy is a code owner

Assignees

@jsf9k jsf9k

@mcdonnnj mcdonnnj

Labels
dependencies Pull requests that update a dependency file improvement This issue or pull request will add or improve functionality, maintainability, or ease of use security This issue or pull request addresses a security issue
Projects
Next Kraken
Status: Done
Skeleton Maintenance
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jsf9k @dav3r @mcdonnnj @dv4harr10