Bump some docs dependencies to resolve a Dependabot security alert #107341
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Did you use If I skip that, I don't get setuptools (by the way, Python 3.12 has removed the setuptools upgrade from the command). /private/tmp
❯ python -m venv bump-docs
Found existing alias for "python". You should use: "p"
/private/tmp
❯ cd bump-docs
/private/tmp/bump-docs
❯ bin/pip freeze
/private/tmp/bump-docs
❯ bin/pip install "Sphinx~=3.2.0" "docutils<0.17" "Jinja2<3" "MarkupSafe<2"
Collecting Sphinx~=3.2.0
Using cached Sphinx-3.2.1-py3-none-any.whl (2.9 MB)
Collecting docutils<0.17
Using cached docutils-0.16-py2.py3-none-any.whl (548 kB)
Collecting Jinja2<3
Using cached Jinja2-2.11.3-py2.py3-none-any.whl (125 kB)
Collecting MarkupSafe<2
Using cached MarkupSafe-1.1.1-cp311-cp311-macosx_10_9_universal2.whl
Collecting sphinxcontrib-applehelp (from Sphinx~=3.2.0)
Using cached sphinxcontrib_applehelp-1.0.4-py3-none-any.whl (120 kB)
Collecting sphinxcontrib-devhelp (from Sphinx~=3.2.0)
Using cached sphinxcontrib_devhelp-1.0.2-py2.py3-none-any.whl (84 kB)
Collecting sphinxcontrib-jsmath (from Sphinx~=3.2.0)
Using cached sphinxcontrib_jsmath-1.0.1-py2.py3-none-any.whl (5.1 kB)
Collecting sphinxcontrib-htmlhelp (from Sphinx~=3.2.0)
Using cached sphinxcontrib_htmlhelp-2.0.1-py3-none-any.whl (99 kB)
Collecting sphinxcontrib-serializinghtml (from Sphinx~=3.2.0)
Using cached sphinxcontrib_serializinghtml-1.1.5-py2.py3-none-any.whl (94 kB)
Collecting sphinxcontrib-qthelp (from Sphinx~=3.2.0)
Using cached sphinxcontrib_qthelp-1.0.3-py2.py3-none-any.whl (90 kB)
Collecting Pygments>=2.0 (from Sphinx~=3.2.0)
Using cached Pygments-2.15.1-py3-none-any.whl (1.1 MB)
Collecting snowballstemmer>=1.1 (from Sphinx~=3.2.0)
Using cached snowballstemmer-2.2.0-py2.py3-none-any.whl (93 kB)
Collecting babel>=1.3 (from Sphinx~=3.2.0)
Using cached Babel-2.12.1-py3-none-any.whl (10.1 MB)
Collecting alabaster<0.8,>=0.7 (from Sphinx~=3.2.0)
Using cached alabaster-0.7.13-py3-none-any.whl (13 kB)
Collecting imagesize (from Sphinx~=3.2.0)
Using cached imagesize-1.4.1-py2.py3-none-any.whl (8.8 kB)
Collecting requests>=2.5.0 (from Sphinx~=3.2.0)
Using cached requests-2.31.0-py3-none-any.whl (62 kB)
Requirement already satisfied: setuptools in ./lib/python3.11/site-packages (from Sphinx~=3.2.0) (65.5.0)
Collecting packaging (from Sphinx~=3.2.0)
Using cached packaging-23.1-py3-none-any.whl (48 kB)
Collecting charset-normalizer<4,>=2 (from requests>=2.5.0->Sphinx~=3.2.0)
Using cached charset_normalizer-3.2.0-cp311-cp311-macosx_11_0_arm64.whl (122 kB)
Collecting idna<4,>=2.5 (from requests>=2.5.0->Sphinx~=3.2.0)
Using cached idna-3.4-py3-none-any.whl (61 kB)
Collecting urllib3<3,>=1.21.1 (from requests>=2.5.0->Sphinx~=3.2.0)
Using cached urllib3-2.0.4-py3-none-any.whl (123 kB)
Collecting certifi>=2017.4.17 (from requests>=2.5.0->Sphinx~=3.2.0)
Using cached certifi-2023.7.22-py3-none-any.whl (158 kB)
Installing collected packages: snowballstemmer, urllib3, sphinxcontrib-serializinghtml, sphinxcontrib-qthelp, sphinxcontrib-jsmath, sphinxcontrib-htmlhelp, sphinxcontrib-devhelp, sphinxcontrib-applehelp, Pygments, packaging, MarkupSafe, imagesize, idna, docutils, charset-normalizer, certifi, babel, alabaster, requests, Jinja2, Sphinx
Successfully installed Jinja2-2.11.3 MarkupSafe-1.1.1 Pygments-2.15.1 Sphinx-3.2.1 alabaster-0.7.13 babel-2.12.1 certifi-2023.7.22 charset-normalizer-3.2.0 docutils-0.16 idna-3.4 imagesize-1.4.1 packaging-23.1 requests-2.31.0 snowballstemmer-2.2.0 sphinxcontrib-applehelp-1.0.4 sphinxcontrib-devhelp-1.0.2 sphinxcontrib-htmlhelp-2.0.1 sphinxcontrib-jsmath-1.0.1 sphinxcontrib-qthelp-1.0.3 sphinxcontrib-serializinghtml-1.1.5 urllib3-2.0.4
[notice] A new release of pip is available: 23.1.2 -> 23.2.1
[notice] To update, run: python3.11 -m pip install --upgrade pip
/private/tmp/bump-docs took 2s
❯ bin/pip freeze
alabaster==0.7.13
Babel==2.12.1
certifi==2023.7.22
charset-normalizer==3.2.0
docutils==0.16
idna==3.4
imagesize==1.4.1
Jinja2==2.11.3
MarkupSafe==1.1.1
packaging==23.1
Pygments==2.15.1
requests==2.31.0
snowballstemmer==2.2.0
Sphinx==3.2.1
sphinxcontrib-applehelp==1.0.4
sphinxcontrib-devhelp==1.0.2
sphinxcontrib-htmlhelp==2.0.1
sphinxcontrib-jsmath==1.0.1
sphinxcontrib-qthelp==1.0.3
sphinxcontrib-serializinghtml==1.1.5
urllib3==2.0.4
/private/tmp/bump-docs
❯ |
no. But I did use Python 3.13a0. Might be relevant? |
Yes, that seems to be relevant! I did the same commands with the same version of pip (23.2.1), but in a venv using Python 3.11 instead of 3.13a0, and setuptools didn't show up when I ran Shall I use that |
|
Yeah, if we don't need setuptools, let's make sure things work okay without it. |
hugovk
approved these changes
Jul 27, 2023
There was a problem hiding this comment.
Thanks!
And backport to 3.11?
https://github.com/python/cpython/blob/3.11/Doc/requirements-oldest-sphinx.txt
SGTM, gotta keep our docs build secure 🔒 |
AlexWaygood
added
needs backport to 3.11
|
Thanks @AlexWaygood for the PR 🌮🎉.. I'm working now to backport this PR to: 3.11, 3.12. |
|
GH-107342 is a backport of this pull request to the 3.12 branch. |
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this pull request
Jul 27, 2023
…ythonGH-107341) (cherry picked from commit f84d77b) Co-authored-by: Alex Waygood <[email protected]>
|
GH-107343 is a backport of this pull request to the 3.11 branch. |
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this pull request
Jul 27, 2023
…ythonGH-107341) (cherry picked from commit f84d77b) Co-authored-by: Alex Waygood <[email protected]>
AlexWaygood
added a commit
that referenced
this pull request
Jul 27, 2023
…lert (GH-107341) (#107342) Bump some docs dependencies to resolve a Dependabot security alert (GH-107341) (cherry picked from commit f84d77b) Co-authored-by: Alex Waygood <[email protected]>
AlexWaygood
added a commit
that referenced
this pull request
Jul 27, 2023
…lert (GH-107341) (#107343) Bump some docs dependencies to resolve a Dependabot security alert (GH-107341) (cherry picked from commit f84d77b) Co-authored-by: Alex Waygood <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I ran the instructions at the top of
Doc/requirements-oldest-sphinx.txtto regenerate the dependency pins. This resolves an open Dependabot security alert on the CPython repo: https://github.com/python/cpython/security/dependabot/2Because I'm using a new version of pip, it looks like
setuptoolsis now listed in thepip freezeoutput if you have a virtual environment activated (previously, it was filtered out by pip from the output ofpip freeze). We probably don't need it pinned for the docs build, so I could remove it and update the instructions inDoc/requirements-oldest-sphinx.txt? But it also probably doesn't hurt to include it, and it keeps the instructions for regenerating the file simple to just add it to the dependency pins.📚 Documentation preview 📚: https://cpython-previews--107341.org.readthedocs.build/