From 8d0d3a98ae385ed3a672b4083cc7da7ed7052142 Mon Sep 17 00:00:00 2001
From: Johan Bloemberg <git@ijohan.nl>
Date: Mon, 28 Aug 2023 10:03:28 +0200
Subject: [PATCH] Security updates

---
 Makefile                |  6 +++---
 requirements-deploy.in  |  2 +-
 requirements-deploy.txt | 23 +++++++++++++++++------
 requirements-dev.in     |  4 ++--
 requirements-dev.txt    | 26 +++++++++++++++++++-------
 requirements.in         |  2 +-
 requirements.txt        | 12 ++++++++----
 security-constraints.in | 13 +++++++++++++
 8 files changed, 64 insertions(+), 24 deletions(-)

diff --git a/Makefile b/Makefile
index 5a147b56..04584904 100644
--- a/Makefile
+++ b/Makefile
@@ -66,13 +66,13 @@ ${VIRTUAL_ENV}/.requirements.installed: requirements.txt requirements-dev.txt |
 # perform 'pip freeze' on first class requirements in .in files.
 requirements: requirements.txt requirements-dev.txt requirements-deploy.txt
 # perform 'pip freeze' on first class requirements in .in files.
-requirements.txt: requirements.in | ${pip-compile}
+requirements.txt: requirements.in security-constraints.in | ${pip-compile}
 	${pip-compile} ${pip_compile_args} --resolver=backtracking --output-file $@ $<
 
-requirements-dev.txt: requirements-dev.in requirements.in | ${pip-compile}
+requirements-dev.txt: requirements-dev.in requirements.in security-constraints.in | ${pip-compile}
 	${pip-compile} ${pip_compile_args} --resolver=backtracking --output-file $@ $<
 
-requirements-deploy.txt: requirements-deploy.in requirements.in | ${pip-compile}
+requirements-deploy.txt: requirements-deploy.in requirements.in security-constraints.in | ${pip-compile}
 	${pip-compile} ${pip_compile_args} --resolver=backtracking --output-file $@ $<
 
 update_requirements: pip_compile_args=--upgrade --resolver=backtracking
diff --git a/requirements-deploy.in b/requirements-deploy.in
index 77169185..0d865e56 100644
--- a/requirements-deploy.in
+++ b/requirements-deploy.in
@@ -3,7 +3,7 @@
 # make sure there are no version conflicts with requirements.txt
 -c requirements.txt
 
-git+https://gitlab.com/internet-cleanup-foundation/web-security-map@483583988ead67b23ed94621c37c56ab95a61fd1#egg=websecmap[deploy]
+websecmap[deploy] @ git+https://gitlab.com/internet-cleanup-foundation/web-security-map@6fcf0110e5809fceb0ddf93b8553804a7cc52151
 
 # include (security) version constraints for non primary dependencies
 -c security-constraints.in
diff --git a/requirements-deploy.txt b/requirements-deploy.txt
index 4f672cd2..2859d42d 100644
--- a/requirements-deploy.txt
+++ b/requirements-deploy.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.10
 # by the following command:
 #
-#    pip-compile --output-file=requirements-deploy.txt --resolver=backtracking requirements-deploy.in
+#    pip-compile --output-file=requirements-deploy.txt requirements-deploy.in
 #
 aiohttp==3.8.4
     # via
@@ -70,9 +70,10 @@ celery-statsd==1.0.0
     # via
     #   -c requirements.txt
     #   websecmap
-certifi==2023.5.7
+certifi==2023.7.22
     # via
     #   -c requirements.txt
+    #   -c security-constraints.in
     #   requests
     #   sentry-sdk
     #   websecmap
@@ -96,9 +97,10 @@ colorlog==6.7.0
     # via
     #   -c requirements.txt
     #   websecmap
-cryptography==41.0.1
+cryptography==41.0.3
     # via
     #   -c requirements.txt
+    #   -c security-constraints.in
     #   pyopenssl
     #   websecmap
 decorator==5.1.1
@@ -123,6 +125,8 @@ diff-match-patch==20230430
     #   websecmap
 django==4.2.3
     # via
+    #   -c requirements.txt
+    #   -c security-constraints.in
     #   django-celery-beat
     #   django-colorful
     #   django-cors-headers
@@ -291,6 +295,7 @@ lml==0.1.0
     #   websecmap
 lxml==4.9.2
     # via
+    #   -c requirements.txt
     #   -c security-constraints.in
     #   dnsrecon
     #   websecmap
@@ -360,6 +365,7 @@ osm2geojson==0.2.4
     #   websecmap
 pillow==9.5.0
     # via
+    #   -c requirements.txt
     #   -c security-constraints.in
     #   python-resize-image
     #   websecmap
@@ -514,6 +520,7 @@ six==1.16.0
     # via
     #   -c requirements.txt
     #   celery-statsd
+    #   django-jet-reboot
     #   python-dateutil
     #   python-monkey-business
     #   requests-file
@@ -525,6 +532,7 @@ soupsieve==2.4.1
     #   websecmap
 sqlparse==0.4.4
     # via
+    #   -c requirements.txt
     #   -c security-constraints.in
     #   django
     #   websecmap
@@ -583,8 +591,9 @@ urllib3==1.26.6
     #   requests
     #   sentry-sdk
     #   websecmap
-uwsgi==2.0.21
+uwsgi==2.0.22
     # via
+    #   -c security-constraints.in
     #   -r requirements-deploy.in
     #   websecmap
 validators==0.20.0
@@ -598,8 +607,10 @@ vine==1.3.0
     #   celery
     #   flower
     #   websecmap
-websecmap @ git+https://gitlab.com/internet-cleanup-foundation/web-security-map@483583988ead67b23ed94621c37c56ab95a61fd1
-    # via -r requirements-deploy.in
+websecmap[deploy] @ git+https://gitlab.com/internet-cleanup-foundation/web-security-map@6fcf0110e5809fceb0ddf93b8553804a7cc52151
+    # via
+    #   -c requirements.txt
+    #   -r requirements-deploy.in
 wikidata==0.7.0
     # via
     #   -c requirements.txt
diff --git a/requirements-dev.in b/requirements-dev.in
index 8508d766..29209b75 100644
--- a/requirements-dev.in
+++ b/requirements-dev.in
@@ -18,9 +18,9 @@ django-extensions
 django-debug-toolbar
 django-debug-toolbar-request-history
 pytest-mock
-git+https://gitlab.com/internet-cleanup-foundation/web-security-map@483583988ead67b23ed94621c37c56ab95a61fd1#egg=websecmap
+websecmap @ git+https://gitlab.com/internet-cleanup-foundation/web-security-map@6fcf0110e5809fceb0ddf93b8553804a7cc52151
 # use the version with relaxed attr requirements
-git+https://github.com/avast/pytest-docker@519b155009b6f3570c01f1f56e7c4e6ce3c5c760
+pytest-docker @ git+https://github.com/avast/pytest-docker@519b155009b6f3570c01f1f56e7c4e6ce3c5c760
 
 # docs / readthedocs.io
 sphinx
diff --git a/requirements-dev.txt b/requirements-dev.txt
index 6eddc39b..f90c5b56 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.10
 # by the following command:
 #
-#    pip-compile --output-file=requirements-dev.txt --resolver=backtracking requirements-dev.in
+#    pip-compile --output-file=requirements-dev.txt requirements-dev.in
 #
 aiohttp==3.8.4
     # via
@@ -85,9 +85,10 @@ celery-statsd==1.0.0
     # via
     #   -c requirements.txt
     #   websecmap
-certifi==2023.5.7
+certifi==2023.7.22
     # via
     #   -c requirements.txt
+    #   -c security-constraints.in
     #   requests
     #   sentry-sdk
     #   websecmap
@@ -121,9 +122,10 @@ coverage[toml]==7.2.7
     # via
     #   -r requirements-dev.in
     #   pytest-cov
-cryptography==41.0.1
+cryptography==41.0.3
     # via
     #   -c requirements.txt
+    #   -c security-constraints.in
     #   pyopenssl
     #   types-pyopenssl
     #   types-redis
@@ -152,6 +154,8 @@ dill==0.3.6
     # via pylint
 django==4.2.3
     # via
+    #   -c requirements.txt
+    #   -c security-constraints.in
     #   django-celery-beat
     #   django-colorful
     #   django-cors-headers
@@ -306,8 +310,10 @@ gevent==22.10.2
     #   websecmap
 gitdb==4.0.10
     # via gitpython
-gitpython==3.1.31
-    # via bandit
+gitpython==3.1.32
+    # via
+    #   -c security-constraints.in
+    #   bandit
 googlemaps==4.10.0
     # via
     #   -c requirements.txt
@@ -370,6 +376,7 @@ lml==0.1.0
     #   websecmap
 lxml==4.9.2
     # via
+    #   -c requirements.txt
     #   -c security-constraints.in
     #   dnsrecon
     #   websecmap
@@ -465,6 +472,7 @@ phonenumberslite==8.13.15
     # via -r requirements-dev.in
 pillow==9.5.0
     # via
+    #   -c requirements.txt
     #   -c security-constraints.in
     #   python-resize-image
     #   reportlab
@@ -690,6 +698,7 @@ six==1.16.0
     # via
     #   -c requirements.txt
     #   celery-statsd
+    #   django-jet-reboot
     #   livereload
     #   python-dateutil
     #   python-monkey-business
@@ -732,6 +741,7 @@ sphinxcontrib-serializinghtml==1.1.5
     # via sphinx
 sqlparse==0.4.4
     # via
+    #   -c requirements.txt
     #   -c security-constraints.in
     #   django
     #   django-debug-toolbar
@@ -848,8 +858,10 @@ vine==1.3.0
     #   websecmap
 vulture==2.7
     # via -r requirements-dev.in
-websecmap @ git+https://gitlab.com/internet-cleanup-foundation/web-security-map@483583988ead67b23ed94621c37c56ab95a61fd1
-    # via -r requirements-dev.in
+websecmap @ git+https://gitlab.com/internet-cleanup-foundation/web-security-map@6fcf0110e5809fceb0ddf93b8553804a7cc52151
+    # via
+    #   -c requirements.txt
+    #   -r requirements-dev.in
 wikidata==0.7.0
     # via
     #   -c requirements.txt
diff --git a/requirements.in b/requirements.in
index 6cde0f59..c4aefd72 100644
--- a/requirements.in
+++ b/requirements.in
@@ -9,7 +9,7 @@
 # - no version pinning, unless it is required and explained
 
 # to update websecmap, update the SHA hash and run: make update_requirement_websecmap
-git+https://gitlab.com/internet-cleanup-foundation/web-security-map@483583988ead67b23ed94621c37c56ab95a61fd1#egg=websecmap
+websecmap @ git+https://gitlab.com/internet-cleanup-foundation/web-security-map@6fcf0110e5809fceb0ddf93b8553804a7cc52151
 
 django-otp
 django-two-factor-auth>1.15
diff --git a/requirements.txt b/requirements.txt
index 7898cdfe..dcf9a808 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.10
 # by the following command:
 #
-#    pip-compile --output-file=requirements.txt --resolver=backtracking requirements.in
+#    pip-compile --output-file=requirements.txt requirements.in
 #
 aiohttp==3.8.4
     # via
@@ -53,8 +53,9 @@ celery[gevent,redis]==4.4.7
     #   websecmap
 celery-statsd==1.0.0
     # via websecmap
-certifi==2023.5.7
+certifi==2023.7.22
     # via
+    #   -c security-constraints.in
     #   requests
     #   sentry-sdk
     #   websecmap
@@ -73,8 +74,9 @@ charset-normalizer==3.1.0
     #   websecmap
 colorlog==6.7.0
     # via websecmap
-cryptography==41.0.1
+cryptography==41.0.3
     # via
+    #   -c security-constraints.in
     #   pyopenssl
     #   websecmap
 decorator==5.1.1
@@ -94,6 +96,7 @@ diff-match-patch==20230430
     #   websecmap
 django==4.2.3
     # via
+    #   -c security-constraints.in
     #   django-activity-stream
     #   django-celery-beat
     #   django-colorful
@@ -406,6 +409,7 @@ simplejson==3.19.1
 six==1.16.0
     # via
     #   celery-statsd
+    #   django-jet-reboot
     #   python-dateutil
     #   python-monkey-business
     #   requests-file
@@ -471,7 +475,7 @@ vine==1.3.0
     #   celery
     #   flower
     #   websecmap
-websecmap @ git+https://gitlab.com/internet-cleanup-foundation/web-security-map@483583988ead67b23ed94621c37c56ab95a61fd1
+websecmap @ git+https://gitlab.com/internet-cleanup-foundation/web-security-map@6fcf0110e5809fceb0ddf93b8553804a7cc52151
     # via -r requirements.in
 wikidata==0.7.0
     # via websecmap
diff --git a/security-constraints.in b/security-constraints.in
index 45c8a7b5..fc511135 100644
--- a/security-constraints.in
+++ b/security-constraints.in
@@ -27,3 +27,16 @@ Django>=3.1.14
 
 # GHSA-p5w8-wqhj-9hhf
 sqlparse>=0.4.2
+
+# https://github.com/internetstandards/Internet.nl-dashboard/security/dependabot/131
+gitpython>=3.1.32
+
+# https://github.com/internetstandards/Internet.nl-dashboard/security/dependabot/141
+uwsgi>=2.0.22
+
+# https://github.com/internetstandards/Internet.nl-dashboard/security/dependabot/140
+certifi>=2023.7.22
+
+# https://github.com/internetstandards/Internet.nl-dashboard/security/dependabot/137
+cryptography>=41.0.2
+