search

bird-house / finch

A Web Processing Service for Climate Indicators
https://finch.readthedocs.io/en/latest/
Apache License 2.0
13 stars 5 forks source link

pin `requests>=2.32.2` #384

Closed fmigneault closed 3 months ago

fmigneault commented 3 months ago

Overview

Address CVE-2024-35195

Changes:

Zeitsperre commented 3 months ago

@fmigneault Would you mind adding this pin to the conda environments as well? Feel free to merge afterwards.

fmigneault commented 3 months ago

We could probably simply edit the conda env to include:

dependencies:
  - pip >=24.0
  - pip:
    -  -r requirements.txt

This can avoid the duplicate edits each time, but it changes the resolution by pip instead of conda-forge channel.

What do you think?

Zeitsperre commented 3 months ago

I like the idea of building conda-based environments to ensure that there aren't any weird behaviours in underlying dependencies before we push our own tags of finch to conda-forge.

The duplicate conda version tags issue is on everything we build. I'd want to see an approach that addresses the problem and can be ported everywhere.

fmigneault commented 3 months ago

@Zeitsperre Failing tests seem unrelated. Please have a look to make sure.

Zeitsperre commented 3 months ago

@fmigneault It's an issue with cf-xarray.