Merge branch 'main' into docs-audit

Author: lukegalbraithrussell

.github/workflows/ci-build.yml

@@ -20,7 +20,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
       - name: Set up Python ${{ env.LATEST_SUPPORTED_PY }}
@@ -37,7 +37,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
       - name: Set up Python ${{ env.LATEST_SUPPORTED_PY }}
@@ -71,7 +71,7 @@ jobs:
       CI_LARGE_SOCKET_MODE_PAYLOAD_TESTING_DISABLED: "1"
       FORCE_COLOR: "1"
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
@@ -95,7 +95,7 @@ jobs:
           PYTHONPATH=$PWD:$PYTHONPATH pytest tests/slack_sdk/oauth/state_store/test_sqlalchemy.py
       - name: Upload test results to Codecov
         if: ${{ !cancelled() }}
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
         with:
           directory: ./reports/
           fail_ci_if_error: true
@@ -105,7 +105,7 @@ jobs:
           verbose: true
       - name: Upload test coverage to Codecov (only with latest supported version)
         if: startsWith(matrix.python-version, env.LATEST_SUPPORTED_PY)
-        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
         with:
           fail_ci_if_error: true
           # Run validation generates the coverage file
@@ -136,7 +136,7 @@ jobs:
           --health-timeout 5s
           --health-retries 5
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           persist-credentials: false
       - name: Set up Python ${{ env.LATEST_SUPPORTED_PY }}
@@ -174,7 +174,7 @@ jobs:
     if: ${{ !success() && github.ref == 'refs/heads/main' && github.event_name != 'workflow_dispatch' }}
     steps:
       - name: Send notifications of failing tests
-        uses: slackapi/slack-github-action@03ea5433c137af7c0495bc0cad1af10403fc800c # v3.0.2
+        uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3
         with:
           errors: true
           webhook: ${{ secrets.SLACK_REGRESSION_FAILURES_WEBHOOK_URL }}

.github/workflows/pypi-release.yml

@@ -18,7 +18,7 @@ jobs:
       contents: read
 
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           ref: ${{ github.event.release.tag_name || github.ref }}
           persist-credentials: false

.github/workflows/triage-issues.yml

@@ -16,7 +16,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
+      - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0
         with:
           days-before-issue-stale: 30
           days-before-issue-close: 10

SECURITY.md

@@ -0,0 +1,7 @@
+## Security
+
+Please report any security issue to [https://www.sfdc.co/SubmitVuln](https://www.sfdc.co/SubmitVuln)
+as soon as it is discovered. This library limits its runtime dependencies in
+order to reduce the total cost of ownership as much as can be, but all consumers
+should remain vigilant and have their security stakeholders review all third-party
+products (3PP) like this one and their dependencies.

requirements/databases.txt

@@ -2,4 +2,4 @@
 
 # PostgreSQL drivers
 psycopg2-binary>=2.9,<3
-asyncpg>=0.27,<1
+asyncpg>=0.31.0,<1

requirements/documentation.txt

@@ -1,2 +1,2 @@
-docutils==0.22.4
+docutils==0.23
 pdoc3==0.11.6

requirements/testing.txt

@@ -4,15 +4,16 @@ aiohttp<3.11; python_version == "3.8"  # used for a WebSocket server mock
 aiohttp<4; python_version >= "3.9"  # used for a WebSocket server mock
 pytest>=7.0.1,<9
 pytest-asyncio<2  # for async
-pytest-cov>=2,<8
+pytest-cov>=4,<7.1.0; python_version < "3.9"
+pytest-cov>=7.1.0,<8; python_version >= "3.9"
 click==8.0.4  # black is affected by https://github.com/pallets/click/issues/2225
 psutil>=6.0.0,<8
 # cryptography 46+ dropped PyPy 3.10 wheels; pin to <46 for PyPy 3.10 only
 cryptography<46; implementation_name == "pypy" and python_version == "3.10"
 #  used only under slack_sdk/*_store
 boto3<=2
 # For AWS tests
-moto>=4.0.13,<6
+moto>=4.2.14,<6
 # For AsyncSQLAlchemy tests
 greenlet<=4
 aiosqlite<=1

requirements/tools.txt

@@ -1,7 +1,7 @@
 mypy<=1.19.1;
 # while flake8 5.x have issues with Python 3.12, flake8 6.x requires Python >= 3.8.1,
 # so 5.x should be kept in order to stay compatible with Python 3.7/3.8
-flake8>=5.0.4,<8
+flake8>=7.3.0,<8
 #  Don't change this version without running CI builds;
 #  The latest version may not be available for older Python runtime
 black==24.3.0;

slack_sdk/signature/__init__.py

@@ -29,6 +29,18 @@ def __init__(self, signing_secret: str, clock: Clock = Clock()):
         self.signing_secret = signing_secret
         self.clock = clock
 
+    @property
+    def signing_secret(self) -> str:
+        return self._signing_secret
+
+    @signing_secret.setter
+    def signing_secret(self, value: str) -> None:
+        if not isinstance(value, str):
+            raise ValueError("signing_secret must be a string")
+        if not value.strip():
+            raise ValueError("signing_secret must not be empty.")
+        self._signing_secret = value
+
     def is_valid_request(
         self,
         body: Union[str, bytes],

tests/signature/test_signature_verifier.py

@@ -97,3 +97,23 @@ def test_is_valid_none(self):
         self.assertFalse(verifier.is_valid(None, self.timestamp, None))
         self.assertFalse(verifier.is_valid(self.body, None, None))
         self.assertFalse(verifier.is_valid(None, None, None))
+
+    def test_invalid_signing_secret(self):
+        with self.assertRaises(ValueError):
+            SignatureVerifier("")
+        with self.assertRaises(ValueError):
+            SignatureVerifier("   ")
+        with self.assertRaises(ValueError):
+            SignatureVerifier(None)
+        with self.assertRaises(ValueError):
+            SignatureVerifier(123)
+        with self.assertRaises(ValueError):
+            SignatureVerifier(b"secret")
+
+    def test_invalid_signing_secret_reassignment(self):
+        verifier = SignatureVerifier(self.signing_secret)
+        with self.assertRaises(ValueError):
+            verifier.signing_secret = ""
+        with self.assertRaises(ValueError):
+            verifier.signing_secret = None
+        self.assertEqual(verifier.signing_secret, self.signing_secret)