github version complaints about the gitlab CI requirements.txt
Linus Torvalds
torvalds at linux-foundation.org
Sun Nov 12 20:33:02 UTC 2023
So every time I push to my github mirror, github now ends up having a
'dependabot' thing that warns about some of the CI version
requirements for the gitlab automated testing file.
It wants to update the pip requirements from 23.2.1 to 23.3
- When installing a package from a Mercurial VCS URL, e.g. pip install
hg+..., with pip prior to v23.3, the specified Mercurial revision
could be used to inject arbitrary configuration options to the hg
clone call (e.g. --config). Controlling the Mercurial configuration
can modify how and which repository is installed. This vulnerability
does not affect users who aren't installing from Mercurial.
and upgrade the urllib3 requirements from 2.0.4 to 2.0.7:
- urllib3's request body not stripped after redirect from 303 status
changes request method to GET
- `Cookie` HTTP header isn't stripped on cross-origin redirects
And it's not like any of this looks like a big deal, but I'd like to
shut up the messages I get.
I can either just close those issues, or I can apply a patch something
like the attached (which also adds a missing newline at the end).
I thought I should ask the people who actually set this up. Comments?
Linus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch.diff
Type: text/x-patch
Size: 717 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/dri-devel/attachments/20231112/dd65e0ad/attachment-0001.bin>
More information about the dri-devel
mailing list