Update dependencies

[dijital20]

Changes

• Updated third party dependencies.
• Added the CI Check workflow we're using in other repos to run on PR. It does a check of the dependencies for CVEs and gives a scorecard.

[github-actions[bot]]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

requirements.txt

Package	Version	License	Issue Type
aiohttp	3.10.3	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	4.*.*	:green_circle: 7.2	Details Check Score Reason Code-Review :green_circle: 10 all changesets reviewed Maintained :green_circle: 7 9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7 CII-Best-Practices :warning: 0 no effort to earn an OpenSSF best practices badge detected License :green_circle: 10 license file detected Binary-Artifacts :green_circle: 10 no binaries found in the repo Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Token-Permissions :warning: 0 detected GitHub workflow tokens with excessive permissions Fuzzing :warning: 0 project is not fuzzed Signed-Releases :warning: -1 no releases found Branch-Protection :warning: -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy :green_circle: 9 security policy file detected Pinned-Dependencies :green_circle: 4 dependency not pinned by hash detected -- score normalized to 4 Packaging :green_circle: 10 packaging workflow detected SAST :green_circle: 10 SAST tool is run on all commits Vulnerabilities :green_circle: 9 1 existing vulnerabilities detected
actions/actions/dependency-review-action	4.*.*	:green_circle: 7.2	Details Check Score Reason Code-Review :green_circle: 10 all changesets reviewed Maintained :green_circle: 10 30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices :warning: 0 no effort to earn an OpenSSF best practices badge detected License :green_circle: 10 license file detected Branch-Protection :warning: -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases :warning: -1 no releases found Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Packaging :warning: -1 packaging workflow not detected Security-Policy :green_circle: 9 security policy file detected Token-Permissions :warning: 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts :green_circle: 10 no binaries found in the repo Pinned-Dependencies :warning: 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing :warning: 0 project is not fuzzed SAST :green_circle: 9 SAST tool detected but not run on all commits Vulnerabilities :green_circle: 10 0 existing vulnerabilities detected
pip/aiohappyeyeballs	2.3.5	Unknown	Unknown
pip/aiohttp	3.10.3	:green_circle: 6.7	Details Check Score Reason Code-Review :green_circle: 3 Found 4/12 approved changesets -- score normalized to 3 Maintained :green_circle: 10 30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices :warning: 0 no effort to earn an OpenSSF best practices badge detected License :green_circle: 9 license file detected Branch-Protection :warning: -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Binary-Artifacts :green_circle: 10 no binaries found in the repo Token-Permissions :warning: 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities :green_circle: 10 0 existing vulnerabilities detected Fuzzing :green_circle: 10 project is fuzzed Signed-Releases :warning: 1 1 out of the last 5 releases have a total of 1 signed artifacts. Security-Policy :green_circle: 10 security policy file detected Pinned-Dependencies :warning: 0 dependency not pinned by hash detected -- score normalized to 0 Packaging :green_circle: 10 packaging workflow detected SAST :green_circle: 8 SAST tool detected but not run on all commits
pip/attrs	24.2.0	:green_circle: 7.4	Details Check Score Reason Code-Review :warning: 0 Found 2/29 approved changesets -- score normalized to 0 Maintained :green_circle: 10 30 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices :green_circle: 5 badge detected: Passing License :green_circle: 10 license file detected Signed-Releases :warning: -1 no releases found Security-Policy :green_circle: 10 security policy file detected Branch-Protection :warning: -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Binary-Artifacts :green_circle: 10 no binaries found in the repo Token-Permissions :green_circle: 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies :warning: 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities :green_circle: 10 0 existing vulnerabilities detected Fuzzing :warning: 0 project is not fuzzed Packaging :green_circle: 10 packaging workflow detected SAST :green_circle: 7 SAST tool detected but not run on all commits
pip/certifi	2024.7.4	:green_circle: 6.5	Details Check Score Reason Code-Review :warning: 0 Found 0/2 approved changesets -- score normalized to 0 Maintained :green_circle: 8 10 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8 CII-Best-Practices :warning: 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases :warning: -1 no releases found License :green_circle: 9 license file detected Binary-Artifacts :green_circle: 10 no binaries found in the repo Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Security-Policy :green_circle: 10 security policy file detected Pinned-Dependencies :green_circle: 5 dependency not pinned by hash detected -- score normalized to 5 Token-Permissions :green_circle: 10 GitHub workflow tokens follow principle of least privilege Branch-Protection :green_circle: 3 branch protection is not maximal on development and all release branches Vulnerabilities :green_circle: 10 0 existing vulnerabilities detected Fuzzing :warning: 0 project is not fuzzed Packaging :green_circle: 10 packaging workflow detected SAST :warning: 0 SAST tool is not run on all commits -- score normalized to 0
pip/discord-py	2.4.0	:green_circle: 4.8	Details Check Score Reason Code-Review :green_circle: 6 Found 18/30 approved changesets -- score normalized to 6 Maintained :green_circle: 10 30 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices :warning: 0 no effort to earn an OpenSSF best practices badge detected License :green_circle: 10 license file detected Signed-Releases :warning: -1 no releases found Packaging :warning: -1 packaging workflow not detected Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Binary-Artifacts :green_circle: 8 binaries present in source code Branch-Protection :warning: 0 branch protection not enabled on development/release branches Token-Permissions :warning: 0 detected GitHub workflow tokens with excessive permissions Security-Policy :warning: 0 security policy file not detected Pinned-Dependencies :warning: 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing :warning: 0 project is not fuzzed Vulnerabilities :green_circle: 10 0 existing vulnerabilities detected SAST :warning: 0 SAST tool is not run on all commits -- score normalized to 0
pip/idna	3.7	:green_circle: 6.7	Details Check Score Reason Binary-Artifacts :green_circle: 10 no binaries found in the repo Branch-Protection :warning: -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests :green_circle: 10 11 out of 11 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices :warning: 0 no effort to earn an OpenSSF best practices badge detected Code-Review :green_circle: 3 found 11 unreviewed changesets out of 16 -- score normalized to 3 Contributors :green_circle: 10 41 different organizations found -- score normalized to 10 Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Dependency-Update-Tool :warning: 0 no update tool detected Fuzzing :green_circle: 10 project is fuzzed License :green_circle: 10 license file detected Maintained :green_circle: 6 7 commit(s) out of 30 and 1 issue activity out of 30 found in the last 90 days -- score normalized to 6 Packaging :warning: -1 no published package detected Pinned-Dependencies :warning: -1 internal error: internal error: unable to determine OS for job: SAST :green_circle: 4 SAST tool is not run on all commits -- score normalized to 4 Security-Policy :green_circle: 10 security policy file detected Signed-Releases :warning: 0 0 out of 1 artifacts are signed or have provenance Token-Permissions :green_circle: 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities :green_circle: 10 no vulnerabilities detected
pip/requests	2.32.3	:green_circle: 8.6	Details Check Score Reason Maintained :green_circle: 10 22 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Code-Review :green_circle: 10 all changesets reviewed CII-Best-Practices :warning: 0 no effort to earn an OpenSSF best practices badge detected License :green_circle: 10 license file detected Branch-Protection :warning: -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases :warning: 0 Project has not signed or included provenance with any releases. Packaging :warning: -1 packaging workflow not detected Security-Policy :green_circle: 10 security policy file detected Binary-Artifacts :green_circle: 10 no binaries found in the repo Token-Permissions :green_circle: 10 GitHub workflow tokens follow principle of least privilege Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Pinned-Dependencies :green_circle: 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing :green_circle: 10 project is fuzzed Vulnerabilities :green_circle: 10 0 existing vulnerabilities detected SAST :green_circle: 10 SAST tool is run on all commits
pip/urllib3	2.2.2	:green_circle: 9.1	Details Check Score Reason Binary-Artifacts :green_circle: 10 no binaries found in the repo Branch-Protection :green_circle: 5 branch protection is not maximal on development and all release branches CI-Tests :green_circle: 10 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices :green_circle: 5 badge detected: Passing Code-Review :green_circle: 9 Found 21/22 approved changesets -- score normalized to 9 Contributors :green_circle: 10 project has 106 contributing companies or organizations Dangerous-Workflow :green_circle: 10 no dangerous workflow patterns detected Dependency-Update-Tool :green_circle: 10 update tool detected Fuzzing :green_circle: 10 project is fuzzed License :green_circle: 10 license file detected Maintained :green_circle: 10 23 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10 Packaging :green_circle: 10 packaging workflow detected Pinned-Dependencies :green_circle: 5 dependency not pinned by hash detected -- score normalized to 5 SAST :green_circle: 10 SAST tool is run on all commits Security-Policy :green_circle: 10 security policy file detected Signed-Releases :green_circle: 8 4 out of the last 5 releases have a total of 4 signed artifacts. Token-Permissions :green_circle: 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities :green_circle: 10 0 existing vulnerabilities detected

Scanned Manifest Files

.github/workflows/check.yml

• actions/checkout@4.*.*
• actions/dependency-review-action@4.*.*

requirements.txt

• aiohttp@3.9.3
• idna@3.6
• requests@2.31.0
• urllib3@2.2.1
• certifi@2024.2.2
• aiohappyeyeballs@2.3.5
• aiohttp@3.10.3
• attrs@24.2.0
• certifi@2024.7.4
• discord-py@2.4.0
• idna@3.7
• requests@2.32.3
• urllib3@2.2.2
• async-timeout@4.0.3
• attrs@23.2.0
• discord-py@2.3.2