chore(deps): bump minimum requests to 2.31 (CVE-2018-18074)#5218
Conversation
skl
changed the title
| "opentelemetry-sdk ~= 1.42.0.dev", | ||
| "opentelemetry-exporter-otlp-proto-common == 1.42.0.dev", | ||
| "requests ~= 2.7", | ||
| "requests ~= 2.31", |
There was a problem hiding this comment.
These are for compatibility of the API and does not dictate what end users will ends with.
There was a problem hiding this comment.
IOW the requirements / uv.lock / docker images downstream people are using should be kept up to date, we occasionally bump ours but they are just for testing
| requests==2.28.2 | ||
| # docker-py < 7's UnixHTTPAdapter overrides only get_connection, which | ||
| # requests >= 2.32 no longer calls; pin requests below 2.32 here. | ||
| requests==2.31.0 |
There was a problem hiding this comment.
To workaround this we've started using the system docker in -contrib, see open-telemetry/opentelemetry-python-contrib@23ac232
github-project-automation
Bot
moved this to Reviewed PRs that need fixes
in Python PR digest
|
I agree with @xrmx here, |
|
Thanks both for the review, I'll close based on the discussion. |
github-project-automation
Bot
moved this from Reviewed PRs that need fixes
to Done
in Python PR digest
3 participants
Description
An image scanner for a downstream build depending on the otel-injector triggered on a CVE-2018-18074 alert. Investigation showed the otel-injector depends on an outdated version of the
requestspackage as a transitive dependency via this repo (opentelemetry-python).This PR bump the
requestsdependency floor to~= 2.31, for consistency with several existingrequirements.txtfiles across this repo for minimum impact and compatibility.Note that
2.32was originally tried but found to be incompatible via CI checks on 0e17e3d.Type of change
Please delete options that are not relevant.
How Has This Been Tested?
I'm not familiar with this repo, I'm open to guidance on test requirements outside of the standard PR checks, if any.
Does This PR Require a Contrib Repo Change?
Checklist: