Are there incompatibilities between AWX and the latest version of setuptools/paramiko/pip?

[jean-christophe-manciot]

I have noticed some security vulnerabilities in the latest official awx-ee available here. Updating some python packages with their latest version would solve those flaws:

• setuptools 53.0.0 --> 69.0.3
• paramiko 2.12.0 --> 3.4.0
• pip 21.2.3 --> 23.3.2

It could be performed with the following lines added in execution-environment.yml:

additional_build_steps:
  append_final:
    - RUN pip3 --disable-pip-version-check list --outdated --format=json | python3 -c "import json, sys; print('\n'.join([x['name'] for x in json.load(sys.stdin)]))" | xargs -n1 pip3 install -U

The fact that it has not been done might suggest some sort of incompatibilities with AWX. Is it the case or is it safe to upgrade them?

[jean-christophe-manciot]

Migrated to ansible community.