diff --git a/.safety-policy-develop.yml b/.safety-policy-develop.yml index c5486414..9ee55081 100644 --- a/.safety-policy-develop.yml +++ b/.safety-policy-develop.yml @@ -38,6 +38,16 @@ security: reason: Fixed filelock version 3.20.3 requires Python>=3.10 and is used there 84415: reason: Fixed filelock version 3.20.3 requires Python>=3.10 and is used there + 89481: + reason: Fixed authlib version 1.6.9 requires Python>=3.10 and is used there + 89032: + reason: Fixed tornado version 6.5.5 requires Python>=3.10 and is used there + 89826: + reason: Fixed nltk version 3.9.4 requires Python>=3.10 and is used there + 90749: + reason: Fixed cryptography version 46.0.6 requires Python>=3.10 and is used there + 35073: + reason: Fixed pygments version 2.20.0 requires Python>=3.10 and is used there # Need to comment out due to issue https://github.com/pyupio/safety/issues/847 # SFTY-20260218-01424: # reason: Fixed nltk version 3.9.3 requires Python>=3.10 and is used there diff --git a/.safety-policy-install.yml b/.safety-policy-install.yml index 30374dc4..1d4d30db 100644 --- a/.safety-policy-install.yml +++ b/.safety-policy-install.yml @@ -28,6 +28,10 @@ security: # reason: {text} # optional: Reason for ignoring it. Will be reported in the Safety reports # expires: {date} # optional: Date when this ignore will expire ignore-vulnerabilities: + 90553: + reason: Fixed requests version 2.33.0 is not installable in the Python 3.9 CI environment, so Python 3.9 uses requests 2.32.4 + SFTY-20260122-20373: + reason: Fixed pytest version 9.0.3 is not installable in the Python 3.9 CI environment, so Python 3.9 uses pytest 8.4.0 # Continue with exit code 0 when vulnerabilities are found. continue-on-vulnerability-error: False diff --git a/changes/noissue.safety.fix.rst b/changes/noissue.safety.fix.rst index 5f0f6d97..c08b7c96 100644 --- a/changes/noissue.safety.fix.rst +++ b/changes/noissue.safety.fix.rst @@ -1 +1 @@ -Fixed safety issues up to 2026-03-29. +Fixed safety issues up to 2026-05-06. diff --git a/dev-requirements.txt b/dev-requirements.txt index d3e249e0..54ad5b3f 100644 --- a/dev-requirements.txt +++ b/dev-requirements.txt @@ -66,7 +66,7 @@ safety-schemas>=0.0.16 dparse>=0.6.4 ruamel.yaml>=0.17.21 click>=8.0.2 -Authlib>=1.6.6 +Authlib>=1.6.9 marshmallow>=3.26.2 pydantic>=2.12.0 pydantic_core>=2.41.1 @@ -89,7 +89,7 @@ Sphinx>=7.2.0 docutils>=0.20.1 sphinx-git>=10.1.1 GitPython>=3.1.41 -Pygments>=2.15.0 +Pygments>=2.20.0 sphinx-rtd-theme>=2.0.0 sphinxcontrib-applehelp>=1.0.4 sphinxcontrib-devhelp>=1.0.2 @@ -168,7 +168,7 @@ pywin32>=303; sys_platform == 'win32' and python_version <= '3.11' pywin32>=306; sys_platform == 'win32' and python_version == '3.12' # The tornado package is used by ipykernel which is used by jupyter. -tornado>=6.5.3 +tornado>=6.5.5 # pyzmq 26.1.0 added wheel archives for Python 3.13 # pyzmq 27.0.1 added wheel archives for Python 3.14 diff --git a/extra-testutils-requirements.txt b/extra-testutils-requirements.txt index 9f02ca30..5e924da2 100644 --- a/extra-testutils-requirements.txt +++ b/extra-testutils-requirements.txt @@ -7,7 +7,8 @@ # Direct dependencies for install of extra 'testutils' (must be consistent with minimum-constraints-install.txt) # zhmcclient.testutils defines pytest fixtures: -pytest>=8.4.0 +pytest>=8.4.0; python_version == '3.9' +pytest>=9.0.3; python_version >= '3.10' # Packages used by zhmcclient.testutils that are also used by zhmcclient and thus # are specified already in requirements.txt: diff --git a/minimum-constraints-develop.txt b/minimum-constraints-develop.txt index 1b2aea25..99605067 100644 --- a/minimum-constraints-develop.txt +++ b/minimum-constraints-develop.txt @@ -49,7 +49,7 @@ safety-schemas==0.0.16 dparse==0.6.4 ruamel.yaml==0.17.21 click==8.0.2 -Authlib==1.6.6 +Authlib==1.6.9 marshmallow==3.26.2 pydantic==2.12.0 pydantic_core==2.41.1 @@ -69,7 +69,7 @@ Sphinx==7.2.0 docutils==0.20.1 sphinx-git==10.1.1 GitPython==3.1.41 -Pygments==2.15.0 +Pygments==2.20.0 sphinx-rtd-theme==2.0.0 sphinxcontrib-applehelp==1.0.4 sphinxcontrib-devhelp==1.0.2 @@ -165,7 +165,7 @@ cachetools==5.3.2 Click==8.0.2 clint==0.5.1 configparser==4.0.2 -cryptography==46.0.5 # used by Authlib, which is used by safety +cryptography==46.0.6 # used by Authlib, which is used by safety dataclasses==0.8 decorator==4.0.11 defusedxml==0.7.1 @@ -190,7 +190,7 @@ nest-asyncio==1.5.4 # nltk 3.9.3 fixes CVE-2025-14009 # Need to comment out nltk==3.9.2 due to issue https://github.com/pyupio/safety/issues/847 # nltk==3.9.2; python_version == '3.9' -nltk==3.9.3; python_version >= '3.10' +nltk==3.9.4; python_version >= '3.10' # nose is used by older versions of notebook, e.g. 4.3.1 nose==1.3.7 pandocfilters==1.4.1 @@ -220,7 +220,7 @@ testpath==0.3 toml==0.10.0 tomli==2.0.1 # used by towncrier tomli-w==1.2.0 # used by tox>=4.48.0 -tornado==6.5.3 +tornado==6.5.5 tqdm==4.66.3 traitlets==5.6.0 typing==3.6.1 diff --git a/minimum-constraints-install.txt b/minimum-constraints-install.txt index 603968d6..361df024 100644 --- a/minimum-constraints-install.txt +++ b/minimum-constraints-install.txt @@ -16,7 +16,8 @@ wheel==0.46.2 # Direct dependencies for install (must be consistent with requirements.txt) -requests==2.32.4 +requests==2.32.4; python_version == '3.9' +requests==2.33.0; python_version >= '3.10' stomp-py==8.1.1 immutabledict==4.2.0 nocasedict==1.0.2 @@ -38,7 +39,8 @@ urllib3==2.6.3 # Direct dependencies for install of extra 'testutils' (must be consistent with extra-testutils-requirements) # Used by zhmcclient.testutils -pytest==8.4.0 +pytest==8.4.0; python_version == '3.9' +pytest==9.0.3; python_version >= '3.10' # Indirect dependencies for install that are needed for some reason (must be consistent with requirements.txt) diff --git a/requirements.txt b/requirements.txt index 75afcf91..c6f886cd 100644 --- a/requirements.txt +++ b/requirements.txt @@ -8,7 +8,8 @@ # requests 2.25.0 tolerates urllib3 1.26.5 which is needed on Python 3.10 to # remove ImportWarning in six -requests>=2.32.4 +requests>=2.32.4; python_version == '3.9' +requests>=2.33.0; python_version >= '3.10' stomp-py>=8.1.1