-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security patching #191
Merged
Merged
Security patching #191
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…into guhidalgo/securitypatching
TomAugspurger
approved these changes
Apr 15, 2024
mmcfarland
approved these changes
Apr 16, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Although this change ballooned in scope, the original intent was:
orjson
to 3.9.15azure-storage-blob
to 12.19.1 (this induces anazurite
upgrade during development)urllib3
to 1.26.18Pillow
to 10.2.0requests
to 2.31.0setuptools
to 65.5.1All to address public CVEs.
The remaining changes then became:
requirements*.txt
files to enumerate and install Python dependencies. This makes responding to vulnerabilities easier because exact depenency versions are listed.pip
instead of conda. This is possible now, and not before, because a version ofrasterio
with a version of GDAL that support LERC compression is available through pip instead of conda.pip
caching to work.I had to merge #190 into my branch to make API validation pass, so this PR should be reviewed after that one to minimize the diff.
Type of change
How Has This Been Tested?
The one non-trivial change that needed testing was rasterio's LERC support.
I verified that rasterio 1.3.6 (previous version) when installed through
pip
would throw an exception when reading a COG with LERC compression.The current rasterio (
1.3.9
) is able to open and read the asset.Checklist:
Please delete options that are not relevant.