Upgrade dependencies on v2 banch #1992
Conversation
The main goal was upgrading werkzeug for CVE-2024-34069. After switching to python 3.12, it proved more difficult with changes to setuptools, etc. I decided to pull the pyproject from the main, and utilize that, alone with updated dependencies. Small changes were needed in various api changes, notably: - flask change of request_ctx - swagger_ui_bundle version change, default_template_dir change - aiohttp middleware api slightly changed - flask json change, using flask.json.provider I believe these changes will have minimal impact to users, but the changes are likely breaking for some, specifically, the move to latest flask. fixes spec-first#1969 Signed-off-by: Mike Marchetti <[email protected]>
mfmarche
force-pushed
the
upgrade_deps
branch
5 times, most recently
from
90ddbe0
to
d3849b4
Compare
aiohttp has conflicting requirements for latest updates, where python3.8 is deprecated. Remove 3.8 support to simplify the requirements to take latest. Signed-off-by: Mike Marchetti <[email protected]>
mfmarche
force-pushed
the
upgrade_deps
branch
from
d3849b4
to
3d67f16
Compare
|
I tried to fixup the readthedocs build, i'm not sure how to resolve the issue. It could be a conflicting dependency? Is this build job required on this branch? |
There was a problem hiding this comment.
Thanks @mfmarche!
I haven't gone through the code changes in detail yet, but the passing tests with limited changes look promising!
The docs pipeline is configured in this repo in .readthedocs.yaml, the dependencies are defined in pyproject.toml. The pipeline runs on ReadTheDocs. I suspect the issue is due to a mismatch in sphinx and sphinx-autoapi versions (logs).
I don't want to break people's projects relying on Connexion 2 by releasing breaking changes. However I am open to releasing this fix under the connexion2 pypi name instead.
README.md
Outdated
There was a problem hiding this comment.
We should keep the old README on this branch, so the information and examples match the code.
Dockerfile3.9
Outdated
There was a problem hiding this comment.
I assume we can remove setup.cfg and setup.py now?
| 3.9: py39-pypi | ||
| 3.10: py310-pypi | ||
| 3.11: py311-pypi,pre-commit | ||
| 3.12: py312-pypi |
There was a problem hiding this comment.
The github actions workflow should be updated to match this.
pyproject.toml
Outdated
| PyYAML = ">= 5.1" | ||
| requests = ">= 2.27" | ||
| typing-extensions = ">= 4.6.1" | ||
| werkzeug = ">= 2.2.1" |
There was a problem hiding this comment.
Let's bump this to a version with the CVE fixes, since this was the main reason for this PR.
3.1.3 is the version used in the 3.9 workflow with passing tests.
- fixup doc genenerator, using config from main. Too many issues encountered trying to get a working autoapi version to work with sphinx. Decided to adopt a more recent version of sphinx and utilized Connexion/main's docs/conf.py file. - add pipeline builds for supported python - snap werkzeug version to address CVE's Signed-off-by: Mike Marchetti <[email protected]>
|
thanks @RobbeSneyders for the review. I addressed all issues I believe. |
Fixes #1969