github version complaints about the gitlab CI requirements.txt
Helen Koike
helen.koike at collabora.com
Mon Nov 13 12:01:47 UTC 2023
Hi Linus,
On 12/11/2023 17:33, Linus Torvalds wrote:
> So every time I push to my github mirror, github now ends up having a
> 'dependabot' thing that warns about some of the CI version
> requirements for the gitlab automated testing file.
>
> It wants to update the pip requirements from 23.2.1 to 23.3
>
> - When installing a package from a Mercurial VCS URL, e.g. pip install
> hg+..., with pip prior to v23.3, the specified Mercurial revision
> could be used to inject arbitrary configuration options to the hg
> clone call (e.g. --config). Controlling the Mercurial configuration
> can modify how and which repository is installed. This vulnerability
> does not affect users who aren't installing from Mercurial.
>
> and upgrade the urllib3 requirements from 2.0.4 to 2.0.7:
>
> - urllib3's request body not stripped after redirect from 303 status
> changes request method to GET
>
> - `Cookie` HTTP header isn't stripped on cross-origin redirects
>
> And it's not like any of this looks like a big deal, but I'd like to
> shut up the messages I get.
>
> I can either just close those issues, or I can apply a patch something
> like the attached (which also adds a missing newline at the end).
>
> I thought I should ask the people who actually set this up. Comments?
I just tested your attached patch and looks fine, the scripts with those
requirements worked as expected, so please go ahead with your patch with
Tested-by: Helen Koike <helen.koike at collabora.com>
Now I'm thinking how to prevent those warnings in the future.
Thank you,
Helen
>
> Linus
More information about the dri-devel
mailing list