Update dependencies to fix vulnerabilities

Also changed: - After discussion in ETAS dev team proposing to use fixed versions also in *.in files - Fixing backward incompatible changes when updating Paho - Fixing workflow so that we really test with example from current branch
eclipse-velocitas · Jul 30, 2024 · bd7b3ce · bd7b3ce
1 parent e94654a
commit bd7b3ce
Show file tree

Hide file tree

Showing 13 changed files with 162 additions and 147 deletions.
diff --git a/.project-creation/.skeleton/requirements.in b/.project-creation/.skeleton/requirements.in
@@ -12,7 +12,7 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-grpcio==1.59.0
-protobuf==4.24.4
-cloudevents==1.10.0
-aiohttp==3.9.3
+grpcio==1.64.1
+protobuf==5.27.2
+cloudevents==1.11.0
+aiohttp==3.9.5
diff --git a/.project-creation/.skeleton/requirements.txt b/.project-creation/.skeleton/requirements.txt
@@ -4,33 +4,33 @@
 #
 #    pip-compile
 #
-aiohttp==3.9.3
+aiohttp==3.9.5
     # via -r requirements.in
 aiosignal==1.3.1
     # via aiohttp
 async-timeout==4.0.3
     # via aiohttp
-attrs==23.1.0
+attrs==23.2.0
     # via aiohttp
-cloudevents==1.10.0
+cloudevents==1.11.0
     # via -r requirements.in
 deprecation==2.1.0
     # via cloudevents
-frozenlist==1.4.0
+frozenlist==1.4.1
     # via
     #   aiohttp
     #   aiosignal
-grpcio==1.59.0
+grpcio==1.64.1
     # via -r requirements.in
-idna==3.4
+idna==3.7
     # via yarl
-multidict==6.0.4
+multidict==6.0.5
     # via
     #   aiohttp
     #   yarl
-packaging==23.2
+packaging==24.1
     # via deprecation
-protobuf==4.24.4
+protobuf==5.27.2
     # via -r requirements.in
-yarl==1.9.2
+yarl==1.9.4
     # via aiohttp
diff --git a/NOTICE-3RD-PARTY-CONTENT.md b/NOTICE-3RD-PARTY-CONTENT.md
@@ -3,70 +3,72 @@
 ## Python
 | Dependency | Version | License |
 |:-----------|:-------:|--------:|
-|aiohttp|3.9.3|Apache 2.0|
+|aiohttp|3.9.5|Apache 2.0|
 |aiosignal|1.3.1|Apache 2.0|
 |APScheduler|3.10.4|MIT|
 |async-timeout|4.0.3|Apache 2.0|
-|attrs|23.1.0|MIT|
-|build|1.0.3|MIT|
-|cachetools|5.3.2|MIT|
+|attrs|23.2.0|MIT|
+|build|1.2.1|MIT|
+|cachetools|5.4.0|MIT|
 |cfgv|3.4.0|MIT|
 |chardet|5.2.0|LGPL|
 |click|8.1.7|New BSD|
-|cloudevents|1.10.1|Apache 2.0|
+|cloudevents|1.11.0|Apache 2.0|
 |colorama|0.4.6|BSD|
-|coverage|7.4.1|Apache 2.0|
+|coverage|7.6.0|Apache 2.0|
 |Deprecated|1.2.14|MIT|
 |deprecation|2.1.0|Apache 2.0|
 |distlib|0.3.8|Python Software Foundation License|
-|exceptiongroup|1.2.0|MIT|
-|filelock|3.13.1|The Unlicense (Unlicense)|
-|frozenlist|1.4.0|Apache 2.0|
+|exceptiongroup|1.2.2|MIT|
+|filelock|3.15.4|The Unlicense (Unlicense)|
+|frozenlist|1.4.1|Apache 2.0|
 |grpc-stubs|1.53.0.5|MIT|
-|grpcio|1.59.0|Apache 2.0|
-|grpcio-tools|1.59.0|Apache 2.0|
-|identify|2.5.33|MIT|
-|idna|3.4|BSD|
+|grpcio|1.64.1|Apache 2.0|
+|grpcio-tools|1.64.1|Apache 2.0|
+|identify|2.6.0|MIT|
+|idna|3.7|BSD|
+|importlib-metadata|7.1.0|Apache 2.0|
 |iniconfig|2.0.0|MIT|
-|multidict|6.0.4|Apache 2.0|
-|mypy|1.8.0|MIT|
+|multidict|6.0.5|Apache 2.0|
+|mypy|1.11.0|MIT|
 |mypy-extensions|1.0.0|MIT|
-|mypy-protobuf|3.4.0|Apache 2.0|
-|nodeenv|1.8.0|BSD|
-|opentelemetry-api|1.15.0|Apache 2.0|
-|opentelemetry-distro|0.36b0|Apache 2.0|
-|opentelemetry-instrumentation|0.36b0|Apache 2.0|
-|opentelemetry-instrumentation-logging|0.36b0|Apache 2.0|
-|opentelemetry-sdk|1.15.0|Apache 2.0|
-|opentelemetry-semantic-conventions|0.36b0|Apache 2.0|
-|packaging|23.1|Apache 2.0<br/>BSD|
-|paho-mqtt|1.6.1|OSI Approved|
+|mypy-protobuf|3.6.0|Apache 2.0|
+|nodeenv|1.9.1|BSD|
+|opentelemetry-api|1.25.0|Apache 2.0|
+|opentelemetry-distro|0.46b0|Apache 2.0|
+|opentelemetry-instrumentation|0.46b0|Apache 2.0|
+|opentelemetry-instrumentation-logging|0.46b0|Apache 2.0|
+|opentelemetry-sdk|1.25.0|Apache 2.0|
+|opentelemetry-semantic-conventions|0.46b0|Apache 2.0|
+|packaging|24.1|Apache 2.0<br/>BSD|
+|paho-mqtt|2.1.0|OSI Approved|
 |pip|23.0.1|MIT|
-|pip-tools|7.3.0|BSD|
-|platformdirs|4.2.0|MIT|
-|pluggy|1.4.0|MIT|
-|pre-commit|3.6.0|MIT|
-|protobuf|4.21.12|Google License|
-|pyproject-api|1.6.1|MIT|
-|pyproject-hooks|1.0.0|MIT|
-|pytest|7.4.4|MIT|
-|pytest-asyncio|0.23.4|Apache 2.0|
-|pytest-cov|4.1.0|MIT|
+|pip-tools|7.4.1|BSD|
+|platformdirs|4.2.2|MIT|
+|pluggy|1.5.0|MIT|
+|pre-commit|3.8.0|MIT|
+|protobuf|5.27.2|Google License|
+|pyproject-api|1.7.1|MIT|
+|pyproject-hooks|1.1.0|MIT|
+|pytest|8.3.2|MIT|
+|pytest-asyncio|0.23.8|Apache 2.0|
+|pytest-cov|5.0.0|MIT|
 |pytz|2024.1|MIT|
 |PyYAML|6.0.1|MIT|
 |setuptools|65.5.1|MIT|
 |six|1.16.0|MIT|
 |tomli|2.0.1|MIT|
-|tox|4.11.4|MIT|
-|types-Deprecated|1.2.9.20240106|Apache 2.0|
-|types-mock|5.1.0.20240106|Apache 2.0|
-|types-protobuf|4.24.0.20240129|Apache 2.0|
-|typing-extensions|4.7.1|Python Software Foundation License|
+|tox|4.16.0|MIT|
+|types-Deprecated|1.2.9.20240311|Apache 2.0|
+|types-mock|5.1.0.20240425|Apache 2.0|
+|types-protobuf|5.27.0.20240626|Apache 2.0|
+|typing-extensions|4.12.2|Python Software Foundation License|
 |tzlocal|5.2|MIT|
-|virtualenv|20.25.0|MIT|
-|wheel|0.42.0|MIT|
-|wrapt|1.15.0|BSD|
-|yarl|1.9.2|Apache 2.0|
+|virtualenv|20.26.3|MIT|
+|wheel|0.43.0|MIT|
+|wrapt|1.16.0|BSD|
+|yarl|1.9.4|Apache 2.0|
+|zipp|3.19.2|MIT|
 ## Workflows
 | Dependency | Version | License |
 |:-----------|:-------:|--------:|

diff --git a/examples/seat-adjuster/requirements.in b/examples/seat-adjuster/requirements.in
@@ -12,8 +12,8 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-grpcio==1.59.0
-protobuf==4.24.4
-cloudevents==1.10.0
-aiohttp==3.9.3
-packaging==23.0
+grpcio==1.64.1
+protobuf==5.27.2
+cloudevents==1.11.0
+aiohttp==3.9.5
+packaging==24.1
diff --git a/examples/seat-adjuster/requirements.txt b/examples/seat-adjuster/requirements.txt
@@ -4,35 +4,35 @@
 #
 #    pip-compile
 #
-aiohttp==3.9.3
+aiohttp==3.9.5
     # via -r requirements.in
 aiosignal==1.3.1
     # via aiohttp
 async-timeout==4.0.3
     # via aiohttp
-attrs==23.1.0
+attrs==23.2.0
     # via aiohttp
-cloudevents==1.10.0
+cloudevents==1.11.0
     # via -r requirements.in
 deprecation==2.1.0
     # via cloudevents
-frozenlist==1.4.0
+frozenlist==1.4.1
     # via
     #   aiohttp
     #   aiosignal
-grpcio==1.59.0
+grpcio==1.64.1
     # via -r requirements.in
-idna==3.4
+idna==3.7
     # via yarl
-multidict==6.0.4
+multidict==6.0.5
     # via
     #   aiohttp
     #   yarl
-packaging==23.0
+packaging==24.1
     # via
     #   -r requirements.in
     #   deprecation
-protobuf==4.24.4
+protobuf==5.27.2
     # via -r requirements.in
-yarl==1.9.2
+yarl==1.9.4
     # via aiohttp
diff --git a/examples/seat-adjuster/tests/requirements.in b/examples/seat-adjuster/tests/requirements.in
@@ -17,4 +17,3 @@ pytest-ordering
 pytest-asyncio
 pytest-cov
 types-mock
-packaging==23.0
diff --git a/examples/seat-adjuster/tests/requirements.txt b/examples/seat-adjuster/tests/requirements.txt
@@ -4,35 +4,33 @@
 #
 #    pip-compile
 #
-coverage[toml]==7.4.1
+coverage[toml]==7.6.0
     # via
     #   coverage
     #   pytest-cov
-exceptiongroup==1.2.0
+exceptiongroup==1.2.2
     # via pytest
 iniconfig==2.0.0
     # via pytest
-packaging==23.0
-    # via
-    #   -r requirements.in
-    #   pytest
-pluggy==1.4.0
+packaging==24.1
+    # via pytest
+pluggy==1.5.0
     # via pytest
-pytest==7.4.4
+pytest==8.3.2
     # via
     #   -r requirements.in
     #   pytest-asyncio
     #   pytest-cov
     #   pytest-ordering
-pytest-asyncio==0.23.4
+pytest-asyncio==0.23.8
     # via -r requirements.in
-pytest-cov==4.1.0
+pytest-cov==5.0.0
     # via -r requirements.in
 pytest-ordering==0.6
     # via -r requirements.in
 tomli==2.0.1
     # via
     #   coverage
     #   pytest
-types-mock==5.1.0.20240106
+types-mock==5.1.0.20240425
     # via -r requirements.in