desihub / desitarget

DESI Targeting
BSD 3-Clause "New" or "Revised" License
18 stars 23 forks source link

Bump astropy from 5.0 to 5.3.3 #815

Closed dependabot[bot] closed 5 months ago

dependabot[bot] commented 5 months ago

Bumps astropy from 5.0 to 5.3.3.

Release notes

Sourced from astropy's releases.

v5.3.3 Release Notes

See https://docs.astropy.org/en/v5.3.3/changelog.html

v5.3.2 Release Notes

See https://docs.astropy.org/en/v5.3.2/changelog.html

v5.3.1

See CHANGES.rst for the full changelog

v5.3

See CHANGES.rst for the full changelog

v5.2.2

See CHANGES.rst for the full changelog.

v5.2.1

See CHANGES.rst for the full changelog.

v5.2

See CHANGES.rst for the full changelog

v5.1.1

See CHANGES.rst for the full changelog

v5.1

See CHANGES.rst for the full changelog

v5.0.8 Release Notes

See https://docs.astropy.org/en/v5.0.x/changelog.html

v5.0.6

See CHANGES.rst for the full changelog.

v5.0.5

See CHANGES.rst for the full changelog

v5.0.4

See CHANGES.rst for the full changelog

v5.0.3

See CHANGES.rst for the full changelog

v5.0.2

See CHANGES.rst for the full changelog

v5.0.1

See CHANGES.rst for the full changelog

Commits
  • 6258f07 Merge pull request #15286 from astrofrog/v5.3.3-changelog
  • 8de0b5b Finalizing changelog for v5.3.3
  • 7dcc0cd Merge pull request #15263 from astropy/update-iers-v5.3.x-1693526610
  • a20ace4 Update IERS Earth rotation and leap second tables
  • 7a4c713 Merge pull request #15234 from pllim/pin-numpy-lt-2
  • 710cbc0 Merge pull request #15249 from meeseeksmachine/auto-backport-of-pr-15155-on-v...
  • 8590f0c Backport PR #15155: Documentation fix for issue #15132 PrimaryHDU.fromstring(...
  • a45198f Merge pull request #15246 from meeseeksmachine/auto-backport-of-pr-15244-on-v...
  • 43c9e01 Backport PR #15244: RTD: No more system_packages
  • 9580b23 TST: Update modeling test logic
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/desihub/desitarget/network/alerts).
coveralls commented 5 months ago

Coverage Status

coverage: 56.026%. remained the same when pulling 3cd6a7221ba0b85af0a79d15dfc1480d5cbd2eac on dependabot/pip/astropy-5.3.3 into f7e40ddd02b218ef978ae6509226977e62c2371c on main.

sbailey commented 5 months ago

FWIW, although this is a "high severity" security update, I don't think it is actually a security vulnerability for us. The vulnerability is in TranformGraph().to_dot_graph which we don't use in desitarget, and the vulnerability is that malicious input could cause a script to run, but we don't accept random external input to run for desitarget anyway (e.g. via a web form).

For Jura we hope to update to a new desiconda with newer astropy anyway, but this isn't "drop everything up update now" urgent.

geordie666 commented 5 months ago

@sbailey: Are you suggesting that we don't merge this PR and/or that we close it? Or are you suggesting we just hold off on this PR until we think we're ready to upgrade astropy in a more general way?

sbailey commented 5 months ago

Given that tests pass, this PR is only for requirements.txt, and we AFAIK that file isn't used by our NERSC desiInstall-based modules installations, this is probably harmless to merge if you'd like. We'll need more general/holistic testing for astropy 5.3.3 in the next 2 weeks prior to Jura anyway.