Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security patching #191

Merged
merged 22 commits into from
Apr 16, 2024
Merged

Security patching #191

merged 22 commits into from
Apr 16, 2024

Conversation

ghidalgo3
Copy link
Contributor

@ghidalgo3 ghidalgo3 commented Mar 27, 2024

Description

Although this change ballooned in scope, the original intent was:

  1. Upgrade orjson to 3.9.15
  2. Upgrade azure-storage-blob to 12.19.1 (this induces an azurite upgrade during development)
  3. Upgrade urllib3 to 1.26.18
  4. Upgrade Pillow to 10.2.0
  5. Upgrade requests to 2.31.0
  6. Upgrade setuptools to 65.5.1

All to address public CVEs.

The remaining changes then became:

  1. Generating and using requirements*.txt files to enumerate and install Python dependencies. This makes responding to vulnerabilities easier because exact depenency versions are listed.
  2. Improving upon Use conda for tiler dependencies, support LERC rasters #169 and Reduce image size of pctiler build #171 to now use pip instead of conda. This is possible now, and not before, because a version of rasterio with a version of GDAL that support LERC compression is available through pip instead of conda.
  3. Various Dockerfile optmizations to allow pip caching to work.

I had to merge #190 into my branch to make API validation pass, so this PR should be reviewed after that one to minimize the diff.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

The one non-trivial change that needed testing was rasterio's LERC support.
I verified that rasterio 1.3.6 (previous version) when installed through pip would throw an exception when reading a COG with LERC compression.
The current rasterio (1.3.9) is able to open and read the asset.

Checklist:

Please delete options that are not relevant.

  • I have performed a self-review
  • Documentation has been updated
  • Unit tests pass locally (./scripts/test)
  • Code is linted and styled (./scripts/format)

@ghidalgo3 ghidalgo3 marked this pull request as ready for review March 28, 2024 17:03
@ghidalgo3 ghidalgo3 changed the title Guhidalgo/securitypatching Security patching Mar 28, 2024
@ghidalgo3 ghidalgo3 requested a review from TomAugspurger April 15, 2024 19:50
@ghidalgo3 ghidalgo3 merged commit d68ec50 into main Apr 16, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants