Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade Python Version and Several Other Packages for Security #3303

Merged
merged 18 commits into from
Mar 13, 2024
Merged

Upgrade Python Version and Several Other Packages for Security #3303

merged 18 commits into from
Mar 13, 2024

Conversation

MaggieFero
Copy link
Contributor

Hello! Our fork is now successfully running in production with significant security-relevant package upgrades, and is otherwise mostly equivalent to bookwyrm-social/main (with some small changes that are based on preference for our instance, and that I wouldn't expect to affect upgrade feasibility).

This PR proposes the same set of changes for the upstream bookwyrm-social repo, now that we're confident they're working in prod.

The upgrades include:

Python 3.9->3.11 (and equivalent -bookworm versions for devtools)
Celery 5.2.7->5.3.1
django-celery-beat 2.4.0->2.5.0
django-compressor 4.3.1->4.4
flower 1.2->2.0
psycopg2 2.9.5->2.9.7
pytest 6.1.2->6.2.5
pylint 2.14.0->2.15.0

We also added the following new pins:

grpcio version at 1.57.0
tornado at 6.3.3
setuptools at 65.5.1

Finally, we alphabetized requirements.txt within each section and removed a duplicate types.requests dependency for developer convenience.

Note that one linter exclusion was added as a result of this Python upgrade; imghdr is deprecated in the 3.11 version of Python. It won't be removed until 3.13 and I didn't see any obvious replacement for now, so I'll file an issue for removing it (and the linter exception) but for now I've set that one instance of the rule to ignore.

@MaggieFero
Merge pull request #2 from bookwyrm-social/main
206ed9f 
No Actual Changes
@MaggieFero
Remove duplicate types-requests==2.31.0.2
f8fd76c 
The types-requests==2.31.0.2 dependency was double-listed right next to each other; this commit removes one.
@MaggieFero
Alphabetize requirements.txt
3652ac8 
Alphabetize requirements.txt for developer convenience; this helps to find duplicates and unnecessarily-pinned subdependencies, as well as making the file easier to read and use.
@MaggieFero
Upgrade Python Version from 3.9 to 3.11
570017d
@MaggieFero
Disable Pylint Failure for imghdr deprecation for now
39da471
@MaggieFero
Upgrade Celery to 5.3.1
4312e9b
@MaggieFero
Upgrade django-celery-beat to 2.5.0
c944824
@MaggieFero
Upgrade django-compressor to 4.4
fee3fdd
@MaggieFero
Upgrade flower to 2.0.0
c1520da
@MaggieFero
Add grpcio pin @ 1.57.0
da2636f
@MaggieFero
Pin Tornado at 6.3.3
0f5a3e9
@MaggieFero
Upgrade Pylint to 2.15.0
498dc35
@MaggieFero
Upgrade pytest to 6.2.5
22c4155
@MaggieFero
Pin setuptools at 65.5.1
be140d5
@MaggieFero MaggieFero marked this pull request as draft March 3, 2024 01:26
@MaggieFero MaggieFero mentioned this pull request Mar 3, 2024
Open
@MaggieFero
Copy link
Contributor Author

I had forgotten we also set a second linter exclusion, for
bookwyrm/activitypub/base_activity.py:23:0: C0103: Type variable name "TBookWyrmModel" doesn't conform to predefined naming style (invalid-name)

We didn't name that variable on our fork, and we didn't want to change variable names from upstream, so we added an exclusion. For this repo, I'm adding the same exclusion for now, but feel free to adjust as desired (though that's probably a separate PR).

@MaggieFero MaggieFero marked this pull request as ready for review March 3, 2024 01:48
@MaggieFero
Copy link
Contributor Author

@mouse-reeve This is the PR I had emailed you before submitting. Is there anything else I can do to help make this easier to review and merge? I'm a little concerned that it becomes more likely to cause issues the more other things people write against the Python version this changes.

@Minnozz
Copy link

Minnozz commented Mar 13, 2024

I'll fix the conflicts with #3318 once this one is merged.

@mouse-reeve
Copy link
Member

Ah I apologize @MaggieFero that's all on me; I'm taking a look at merging now

@mouse-reeve mouse-reeve merged commit a3465e6 into bookwyrm-social:main Mar 13, 2024
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MaggieFero @Minnozz @mouse-reeve