Yesterday I updated urllib3 in all of the lock files in this repo to fix some security vulerabilities. In infrahub_sdk and sync we were using version 2.x and in Infrahub core we were using 1.x. It turns out that there were two vulnerabilities one that was patched in both versions and another that was only patched in 2.x.
(It could be that dependabot is incorrect in its findings here with regards to the impacted versions. But I think we're all on Python 3.10 or later and we will never use 3.9 for our containers.
Yesterday I updated urllib3 in all of the lock files in this repo to fix some security vulerabilities. In infrahub_sdk and sync we were using version 2.x and in Infrahub core we were using 1.x. It turns out that there were two vulnerabilities one that was patched in both versions and another that was only patched in 2.x.
While trying to upgrade I noticed that boto3core was the problem: https://github.com/boto/botocore/blob/1.34.129/setup.py#L28-L32
This PR removes Python 3.9 as an option in order to install a later version of boto3 in a way to allow the patched version of urllib3 to be installed: https://github.com/opsmill/infrahub/security/dependabot/24
(It could be that dependabot is incorrect in its findings here with regards to the impacted versions. But I think we're all on Python 3.10 or later and we will never use 3.9 for our containers.