From f4a071b6b23b6c47521d6bd9419cb96b5d13c5a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Antol=C3=ADn?= <99404665+dantolin-iriusrisk@users.noreply.github.com> Date: Wed, 10 Jul 2024 07:09:22 +0200 Subject: [PATCH] [feature/BLAZ-177] to dev (#378) * [BLAZ-177] Changes in setup.py and Dockerfile.application to solve security issues * [BLAZ-177] Numpy transitive dependency limited to 1.x versions * [BLAZ-177] Minor fix in setup.py * [BLAZ-177] Changed graphviz runtime lib to graphviz-dev --- deployment/Dockerfile.application | 9 +++------ setup.py | 7 +++++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/deployment/Dockerfile.application b/deployment/Dockerfile.application index 2bb190a1..1c68feab 100644 --- a/deployment/Dockerfile.application +++ b/deployment/Dockerfile.application @@ -13,6 +13,8 @@ RUN apk --no-cache add lapack libstdc++ libmagic geos-dev && \ COPY . . +RUN pip install --upgrade pip + RUN pip install . @@ -21,12 +23,7 @@ FROM python:3.8-alpine WORKDIR /app RUN apk update && \ - apk add libmagic && \ - apk add re2 && \ - apk add graphviz && \ - apk add lapack && \ - apk add cblas && \ - apk add geos + apk add libmagic re2 lapack cblas geos graphviz-dev COPY --from=startleft-base /usr/local/lib/python3.8/site-packages /usr/local/lib/python3.8/site-packages diff --git a/setup.py b/setup.py index da962a35..77ff3cdc 100644 --- a/setup.py +++ b/setup.py @@ -20,7 +20,7 @@ 'deepmerge==1.1.0', 'jmespath==1.0.1', 'python-hcl2==4.3.2', - 'requests==2.31.0', + 'requests==2.32.3', 'fastapi==0.109.2', 'python-multipart==0.0.7', 'click==8.1.7', @@ -37,7 +37,10 @@ 'xmlschema==2.5.0', 'word2number==1.1', # Do not upgrade pygraphviz unless security issues because it is heavily dependent on the underlying OS - 'pygraphviz==1.10' + 'pygraphviz==1.10', + # Numpy is a transitive dependency of fastapi, requests and python-multipart + # They require different v1 versions, while v2 versions lead to import errors + 'numpy<2.0' ], use_scm_version={ 'write_to': 'startleft/version.py',