Skip to content

Update Python requirements to fix more CVEs #105853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 24, 2024
Merged

Update Python requirements to fix more CVEs #105853

merged 1 commit into from
Aug 24, 2024

Conversation

StephanTLavavej
Copy link
Member

Followup to #90109.

In Microsoft, our automated scans are warning that LLVM has vulnerable dependencies. Specifically:

I've updated LLVM's dependencies by running the following commands in llvm/utils/git:

pip-compile --upgrade --generate-hashes --output-file=requirements.txt requirements.txt.in
pip-compile --upgrade --generate-hashes --output-file=requirements_formatting.txt requirements_formatting.txt.in

Note that for requirements_formatting.txt this adds --generate-hashes (according to my vague understanding, it's highly desirable and was already used for requirements.txt) and was locally run within llvm/utils/git (changing the recorded command, which apparently was originally run from the repo root - again, requirements.txt was already being regenerated with a locally run command, so this increases consistency).

I observe that this has updated the relevant components to pick up the CVE fixes. Note that I am largely clueless in this area, so I hope that (like #90109) no other changes will be necessary.

@StephanTLavavej
Update Python requirements
a07d950 
In llvm/utils/git I ran:

pip-compile --upgrade --generate-hashes --output-file=requirements.txt requirements.txt.in
pip-compile --upgrade --generate-hashes --output-file=requirements_formatting.txt requirements_formatting.txt.in
zacklj89
zacklj89 approved these changes Aug 23, 2024
View reviewed changes
Copy link
Contributor

@zacklj89 zacklj89 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like builds passed, and changes are consistent with previous ones.

boomanaiden154
boomanaiden154 approved these changes Aug 23, 2024
View reviewed changes
Copy link
Contributor

@boomanaiden154 boomanaiden154 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

The code formatting job passed, which increases confidence that the requirements_formatting.txt is correct.

requirements.txt is used in a bunch of places that are hard to directly test, but is probably safe. If it fails, we can revert.

@StephanTLavavej StephanTLavavej merged commit 7036394 into llvm:main Aug 24, 2024
9 checks passed
@StephanTLavavej StephanTLavavej deleted the update-python-requirements branch August 24, 2024 16:51
@StephanTLavavej StephanTLavavej mentioned this pull request Aug 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zacklj89 zacklj89 zacklj89 approved these changes

@boomanaiden154 boomanaiden154 boomanaiden154 approved these changes

@tstellar tstellar Awaiting requested review from tstellar

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@StephanTLavavej @zacklj89 @boomanaiden154