From a585a670352d50c67baa6cf99714f8ca95ab1ef8 Mon Sep 17 00:00:00 2001 From: d33bs Date: Fri, 27 Jun 2025 14:57:50 -0600 Subject: [PATCH 1/3] fix: address CVE-2025-50181 --- poetry.lock | 70 ++++++++++++++++++++++++++++++++------------------ pyproject.toml | 4 +++ 2 files changed, 49 insertions(+), 25 deletions(-) diff --git a/poetry.lock b/poetry.lock index b0f5814f..9257a71f 100644 --- a/poetry.lock +++ b/poetry.lock @@ -89,29 +89,30 @@ test = ["crate", "geojson", "pytest", "pytest-cov"] [[package]] name = "aiobotocore" -version = "2.22.0" +version = "2.23.0" description = "Async client for aws services using botocore and aiohttp" optional = true -python-versions = ">=3.8" +python-versions = ">=3.9" groups = ["main"] markers = "extra == \"cell-locations\"" files = [ - {file = "aiobotocore-2.22.0-py3-none-any.whl", hash = "sha256:b4e6306f79df9d81daff1f9d63189a2dbee4b77ce3ab937304834e35eaaeeccf"}, - {file = "aiobotocore-2.22.0.tar.gz", hash = "sha256:11091477266b75c2b5d28421c1f2bc9a87d175d0b8619cb830805e7a113a170b"}, + {file = "aiobotocore-2.23.0-py3-none-any.whl", hash = "sha256:8202cebbf147804a083a02bc282fbfda873bfdd0065fd34b64784acb7757b66e"}, + {file = "aiobotocore-2.23.0.tar.gz", hash = "sha256:0333931365a6c7053aee292fe6ef50c74690c4ae06bb019afdf706cb6f2f5e32"}, ] [package.dependencies] aiohttp = ">=3.9.2,<4.0.0" aioitertools = ">=0.5.1,<1.0.0" -botocore = ">=1.37.2,<1.37.4" +botocore = ">=1.38.23,<1.38.28" jmespath = ">=0.7.1,<2.0.0" multidict = ">=6.0.0,<7.0.0" python-dateutil = ">=2.1,<3.0.0" wrapt = ">=1.10.10,<2.0.0" [package.extras] -awscli = ["awscli (>=1.38.2,<1.38.4)"] -boto3 = ["boto3 (>=1.37.2,<1.37.4)"] +awscli = ["awscli (>=1.40.22,<1.40.27)"] +boto3 = ["boto3 (>=1.38.23,<1.38.28)"] +httpx = ["httpx (>=0.25.1,<0.29)"] [[package]] name = "aiohappyeyeballs" @@ -493,36 +494,36 @@ css = ["tinycss2 (>=1.1.0,<1.3)"] [[package]] name = "boto3" -version = "1.37.3" +version = "1.38.27" description = "The AWS SDK for Python" optional = true -python-versions = ">=3.8" +python-versions = ">=3.9" groups = ["main"] markers = "extra == \"cell-locations\"" files = [ - {file = "boto3-1.37.3-py3-none-any.whl", hash = "sha256:2063b40af99fd02f6228ff52397b552ff3353831edaf8d25cc04801827ab9794"}, - {file = "boto3-1.37.3.tar.gz", hash = "sha256:21f3ce0ef111297e63a6eb998a25197b8c10982970c320d4c6e8db08be2157be"}, + {file = "boto3-1.38.27-py3-none-any.whl", hash = "sha256:95f5fe688795303a8a15e8b7e7f255cadab35eae459d00cc281a4fd77252ea80"}, + {file = "boto3-1.38.27.tar.gz", hash = "sha256:94bd7fdd92d5701b362d4df100d21e28f8307a67ff56b6a8b0398119cf22f859"}, ] [package.dependencies] -botocore = ">=1.37.3,<1.38.0" +botocore = ">=1.38.27,<1.39.0" jmespath = ">=0.7.1,<2.0.0" -s3transfer = ">=0.11.0,<0.12.0" +s3transfer = ">=0.13.0,<0.14.0" [package.extras] crt = ["botocore[crt] (>=1.21.0,<2.0a0)"] [[package]] name = "botocore" -version = "1.37.3" +version = "1.38.27" description = "Low-level, data-driven core of boto 3." optional = true -python-versions = ">=3.8" +python-versions = ">=3.9" groups = ["main"] markers = "extra == \"cell-locations\"" files = [ - {file = "botocore-1.37.3-py3-none-any.whl", hash = "sha256:d01bd3bf4c80e61fa88d636ad9f5c9f60a551d71549b481386c6b4efe0bb2b2e"}, - {file = "botocore-1.37.3.tar.gz", hash = "sha256:fe8403eb55a88faf9b0f9da6615e5bee7be056d75e17af66c3c8f0a3b0648da4"}, + {file = "botocore-1.38.27-py3-none-any.whl", hash = "sha256:a785d5e9a5eda88ad6ab9ed8b87d1f2ac409d0226bba6ff801c55359e94d91a8"}, + {file = "botocore-1.38.27.tar.gz", hash = "sha256:9788f7efe974328a38cbade64cc0b1e67d27944b899f88cb786ae362973133b6"}, ] [package.dependencies] @@ -3463,22 +3464,22 @@ boto3 = ["aiobotocore[boto3] (>=2.5.4,<3.0.0)"] [[package]] name = "s3transfer" -version = "0.11.2" +version = "0.13.0" description = "An Amazon S3 Transfer Manager" optional = true -python-versions = ">=3.8" +python-versions = ">=3.9" groups = ["main"] markers = "extra == \"cell-locations\"" files = [ - {file = "s3transfer-0.11.2-py3-none-any.whl", hash = "sha256:be6ecb39fadd986ef1701097771f87e4d2f821f27f6071c872143884d2950fbc"}, - {file = "s3transfer-0.11.2.tar.gz", hash = "sha256:3b39185cb72f5acc77db1a58b6e25b977f28d20496b6e58d6813d75f464d632f"}, + {file = "s3transfer-0.13.0-py3-none-any.whl", hash = "sha256:0148ef34d6dd964d0d8cf4311b2b21c474693e57c2e069ec708ce043d2b527be"}, + {file = "s3transfer-0.13.0.tar.gz", hash = "sha256:f5e6db74eb7776a37208001113ea7aa97695368242b364d73e91c981ac522177"}, ] [package.dependencies] -botocore = ">=1.36.0,<2.0a.0" +botocore = ">=1.37.4,<2.0a.0" [package.extras] -crt = ["botocore[crt] (>=1.36.0,<2.0a.0)"] +crt = ["botocore[crt] (>=1.37.4,<2.0a.0)"] [[package]] name = "scikit-learn" @@ -4274,17 +4275,36 @@ description = "HTTP library with thread-safe connection pooling, file post, and optional = false python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,>=2.7" groups = ["main", "dev", "docs"] +markers = "python_version == \"3.9\"" files = [ {file = "urllib3-1.26.19-py2.py3-none-any.whl", hash = "sha256:37a0344459b199fce0e80b0d3569837ec6b6937435c5244e7fd73fa6006830f3"}, {file = "urllib3-1.26.19.tar.gz", hash = "sha256:3e3d753a8618b86d7de333b4223005f68720bcd6a7d2bcb9fbd2229ec7c1e429"}, ] -markers = {main = "extra == \"cell-locations\""} [package.extras] brotli = ["brotli (==1.0.9) ; os_name != \"nt\" and python_version < \"3\" and platform_python_implementation == \"CPython\"", "brotli (>=1.0.9) ; python_version >= \"3\" and platform_python_implementation == \"CPython\"", "brotlicffi (>=0.8.0) ; (os_name != \"nt\" or python_version >= \"3\") and platform_python_implementation != \"CPython\"", "brotlipy (>=0.6.0) ; os_name == \"nt\" and python_version < \"3\""] secure = ["certifi", "cryptography (>=1.3.4)", "idna (>=2.0.0)", "ipaddress ; python_version == \"2.7\"", "pyOpenSSL (>=0.14)", "urllib3-secure-extra"] socks = ["PySocks (>=1.5.6,!=1.5.7,<2.0)"] +[[package]] +name = "urllib3" +version = "2.5.0" +description = "HTTP library with thread-safe connection pooling, file post, and more." +optional = false +python-versions = ">=3.9" +groups = ["main", "dev", "docs"] +markers = "python_version >= \"3.10\"" +files = [ + {file = "urllib3-2.5.0-py3-none-any.whl", hash = "sha256:e6b01673c0fa6a13e374b50871808eb3bf7046c4b125b216f6bf1cc604cff0dc"}, + {file = "urllib3-2.5.0.tar.gz", hash = "sha256:3fc47733c7e419d4bc3f6b3dc2b4f890bb743906a30d56ba4a5bfa4bbff92760"}, +] + +[package.extras] +brotli = ["brotli (>=1.0.9) ; platform_python_implementation == \"CPython\"", "brotlicffi (>=0.8.0) ; platform_python_implementation != \"CPython\""] +h2 = ["h2 (>=4,<5)"] +socks = ["pysocks (>=1.5.6,!=1.5.7,<2.0)"] +zstd = ["zstandard (>=0.18.0)"] + [[package]] name = "uvicorn" version = "0.32.0" @@ -4862,4 +4882,4 @@ collate = ["cytominer-database"] [metadata] lock-version = "2.1" python-versions = ">=3.9,<3.14" -content-hash = "1f71b9d00bdaa34e397f9e8cdadc564436610d39fba81f66ecdfda8521bb5210" +content-hash = "469bfcac09e8093b22491bbf25ea2917bcab6a535852645f947251ded5ae5016" diff --git a/pyproject.toml b/pyproject.toml index 9fe64db3..6af8ff33 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -53,6 +53,10 @@ pandas = ">=1.2.0" scikit-learn = ">=0.21.2" sqlalchemy = ">=1.3.6,<3" pyarrow = ">=8.0.0" +urllib3 = [ + { version = "<2.5.0", python = "<3.10" }, + { version = ">=2.5.0", python = ">=3.10" }, +] # Extra dependencies for cell_locations fsspec = { version = ">=2023.1.0", optional = true } From e83eab563e060cf848bd18012bf5e393552c2a8a Mon Sep 17 00:00:00 2001 From: d33bs Date: Fri, 27 Jun 2025 15:02:58 -0600 Subject: [PATCH 2/3] Update .pre-commit-config.yaml --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d547710b..855f77cd 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/astral-sh/ruff-pre-commit - rev: "v0.11.13" + rev: "v0.12.1" hooks: - id: ruff-check exclude: tutorials/nbconverted/ From 4043fba7882f896067b66ac61f8e36ff4d73447f Mon Sep 17 00:00:00 2001 From: "pre-commit-ci-lite[bot]" <117423508+pre-commit-ci-lite[bot]@users.noreply.github.com> Date: Wed, 2 Jul 2025 16:13:45 +0000 Subject: [PATCH 3/3] [pre-commit.ci lite] apply automatic fixes --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ce0f0bcf..ea5158ad 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,7 +37,7 @@ repos: hooks: - id: almanack-check - repo: https://gitlab.com/vojko.pribudic.foss/pre-commit-update - rev: v0.7.0 + rev: v0.8.0 hooks: - id: pre-commit-update args: ["--keep", "cffconvert"]