[feature/BLAZ-177] to dev (#378)

* [BLAZ-177] Changes in setup.py and Dockerfile.application to solve security issues

* [BLAZ-177] Numpy transitive dependency limited to 1.x versions

* [BLAZ-177] Minor fix in setup.py

* [BLAZ-177] Changed graphviz runtime lib to graphviz-dev

deployment/Dockerfile.application

@@ -13,6 +13,8 @@ RUN apk --no-cache add lapack libstdc++ libmagic geos-dev && \
 
 COPY . .
 
+RUN pip install --upgrade pip
+
 RUN pip install .
 
 
@@ -21,12 +23,7 @@ FROM python:3.8-alpine
 WORKDIR /app
 
 RUN apk update && \
-    apk add libmagic && \
-    apk add re2 && \
-    apk add graphviz && \
-    apk add lapack && \
-    apk add cblas && \
-    apk add geos
+    apk add libmagic re2 lapack cblas geos graphviz-dev
 
 COPY --from=startleft-base /usr/local/lib/python3.8/site-packages /usr/local/lib/python3.8/site-packages
 

setup.py

@@ -20,7 +20,7 @@
         'deepmerge==1.1.0',
         'jmespath==1.0.1',
         'python-hcl2==4.3.2',
-        'requests==2.31.0',
+        'requests==2.32.3',
         'fastapi==0.109.2',
         'python-multipart==0.0.7',
         'click==8.1.7',
@@ -37,7 +37,10 @@
         'xmlschema==2.5.0',
         'word2number==1.1',
         # Do not upgrade pygraphviz unless security issues because it is heavily dependent on the underlying OS
-        'pygraphviz==1.10'
+        'pygraphviz==1.10',
+        # Numpy is a transitive dependency of fastapi, requests and python-multipart
+        # They require different v1 versions, while v2 versions lead to import errors
+        'numpy<2.0'
     ],
     use_scm_version={
         'write_to': 'startleft/version.py',