Update image and packages for 2025

[vevetron]

Description

Updating the docker single-user image to accommodate changes to calitp-data-analysis

Significant package changes:
calitp-data-analysis to "2024.12.6"
black from 22.3 to 24.10
added GDAL, pinned Rasterio

Removed vega-cli and vega-lite. These weren't working during the docker builds. Altair might stop working! This needs to be checked out.

Resolves #3389

Type of change

• New feature

How has this been tested?

built with docker commands and will deploy to jupyterhub for testing.

Safety concerns:

safety scan:
jupyter-server (==1.24.0) ; python_version >= "3.7"  [4 vulnerabilities found]
 Update jupyter-server (==1.24.0) ; python_version >= "3.7" to jupyter-server==2.14.1 to fix 4 vulnerabilities
 Versions of jupyter-server with no known vulnerabilities: 2.15.0, 2.14.2
 Learn more: https://data.safetycli.com/p/pypi/jupyter-server/eda/?from=1.24.0&to=2.14.1

 sqlalchemy (==1.4.46) ; python_version >= "2.7" and python_version < "3.0.dev0" or python_version >= "3.6.dev0"  [1 vulnerability found]
  -> Vuln ID 51668: PVE-2022-51668, CVSS Severity MEDIUM
     Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in lo...
 Update sqlalchemy (==1.4.46) ; python_version >= "2.7" and python_version < "3.0.dev0" or python_version >= "3.6.dev0" to sqlalchemy==2.0.0b1 to fix 1 vulnerability
 Versions of sqlalchemy with no known vulnerabilities: 2.0.37, 2.0.36, 2.0.35, 2.0.34, 2.0.33, 2.0.32, 2.0.31, 2.0.30, 2.0.29, 2.0.28, 2.0.27, 2.0.26, 2.0.25, 2.0.24, 2.0.23,
 2.0.22, 2.0.21, 2.0.20, 2.0.19, 2.0.18, 2.0.17, 2.0.16, 2.0.15, 2.0.14, 2.0.13, 2.0.12, 2.0.11, 2.0.10, 2.0.9, 2.0.8, 2.0.7, 2.0.6, 2.0.5.post1, 2.0.5, 2.0.4, 2.0.3, 2.0.2, 2.0.1,
 2.0.0, 2.0.0rc3, 2.0.0rc2, 2.0.0rc1, 2.0.0b4, 2.0.0b3, 2.0.0b2
 Learn more: https://data.safetycli.com/p/pypi/sqlalchemy/eda/?from=1.4.46&to=2.0.0b1

Post-merge follow-ups

Document any actions that must be taken post-merge to deploy or otherwise implement the changes in this PR (for example, running a full refresh of some incremental model in dbt). If these actions will take more than a few hours after the merge or if they will be completed by someone other than the PR author, please create a dedicated follow-up issue and link it here to track resolution.

• No action required
• Actions required (specified below)

Deploy to jupyterhub and test

• Removed vega-cli and vega-lite. These weren't working during the docker builds. Altair might stop working! This needs to be checked out.

[build.log](
pack_versions.log
https://github.com/user-attachments/files/18400849/build.log)

[github-actions]

The following changes will be applied to the production Kubernetes cluster upon merge.

BE AWARE this may not reveal changes that have been manually applied to the cluster getting undone—applying manual changes to the cluster should be avoided.

jupyterhub, continuous-image-puller, DaemonSet (apps) has changed:
...
            securityContext:
              allowPrivilegeEscalation: false
              runAsGroup: 65534
              runAsUser: 65534
          - name: image-pull-singleuser-profilelist-2
-           image: ghcr.io/cal-itp/data-infra/jupyter-singleuser:2024.5.24
+           image: ghcr.io/cal-itp/data-infra/jupyter-singleuser:2025.1.13
            command:
              - /bin/sh
              - -c
              - echo "Pulling complete"
            securityContext:
...
jupyterhub, hub, ConfigMap (v1) has changed:
...
          configuration item if not None
          """
          data = get_config(key)
          if data is not None:
              setattr(cparent, name, data)
-   checksum_hook-image-puller: "ea587a740bd8c6376ee7f4a41b3f5957f4d23a103fb0714fecad1b2be3105cae"
+   checksum_hook-image-puller: "32d27a8149af388788f74f8b98bf0bc2e83a86208c942d4c16e73ab6d217a232"
jupyterhub, hub, Deployment (apps) has changed:
...
          release: jupyterhub
          hub.jupyter.org/network-access-proxy-api: "true"
          hub.jupyter.org/network-access-proxy-http: "true"
          hub.jupyter.org/network-access-singleuser: "true"
        annotations:
-         checksum/config-map: 5b4f7fe1a41155daf1093411c656925022a4aec125cf1f158fd7122051c2110e
-         checksum/secret: a9f021f09c0b3d24b30aa72740ae1983768e7cecdd044c0b5c583afb5028b4e2
+         checksum/config-map: 80db7142e87d6e2d72191ef0cca281edd6d84555ec04797391b2ee3e411bcda3
+         checksum/secret: f8705d1dd75715353d599035ebb696b24c6e51896c5bc47445580db5edd25406
      spec:
        tolerations:
          - effect: NoSchedule
            key: hub.jupyter.org/dedicated
            operator: Equal
...
jupyterhub, hub, Secret (v1) has changed:
...
    name: hub
  data:
    hub.config.ConfigurableHTTPProxy.auth_token: 'REDACTED # (64 bytes)'
    hub.config.CryptKeeper.keys: 'REDACTED # (64 bytes)'
    hub.config.JupyterHub.cookie_secret: 'REDACTED # (64 bytes)'
-   values.yaml: '-------- # (11754 bytes)'
+   values.yaml: '++++++++ # (11766 bytes)'
  type: Opaque

[evansiroky]

Is it a blocker for Altair to not be working?

[tiffanychu90]

I can approve this PR for testing the build, but dropping vega/altair will basically break a big chunk of the analysis.calitp.org site. But I would move this PR through regardless because there are plenty of dependencies to wade through for an upgrade, so let's see if this solves a good chunk.

[vevetron]

From what I see, Altair should be okay but altair-saver might stop working. But this is expected since altair-saver is being deprecated and being replaced with vl-convert: cal-itp/data-analyses#1342

[tiffanychu90]

From what I see, Altair should be okay but altair-saver might stop working. But this is expected since altair-saver is being deprecated and being replaced with vl-convert: cal-itp/data-analyses#1342

Let's drop altair-saver and put vl-convert lower onto the priority list...I think it's not actively used, now that we have a way to render sites, we no longer save images to embed into ppts