Merge main into production Nov24 #71
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds shelved and published dates for books and their imported reviews. Provides option to create new (custom) shelves when importing books. fixes bookwyrm-social#3004 fixes bookwyrm-social#2846 fixes bookwyrm-social#2666 fixes bookwyrm-social#2411
Explicitly give codeql-analysis action the security-events: write permission so it still works even when the default GitHub Actions token is set to read-only.
* Bump versions * Bump back Pillow due to test failure * Bump setuptools
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-5880505 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-5932095 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-6041515 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-6230369 - https://snyk.io/vuln/SNYK-PYTHON-DJANGO-6370660 - https://snyk.io/vuln/SNYK-PYTHON-OPENTELEMETRYINSTRUMENTATION-5926995 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-5918878 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6043904 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6182918 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6219984 - https://snyk.io/vuln/SNYK-PYTHON-PILLOW-6219986 - https://snyk.io/vuln/SNYK-PYTHON-SETUPTOOLS-3180412
Reapplying the additional permission added to this fork in commit aaa31b4, which was reverted as part of our last sync to main. We want to keep this permission so we can get security alerts from the CodeQL Action.
The Pillow version bump recommended here is going to require other code changes, and shouldn't be handled as part of a bulk maintenance-task merge. I'd like to see if we can take the rest of these security upgrades without it, though.
Adding opentelemetry-instrumentation>=0.41b0 as snyk recommended broke out opentelemetry-instrumentation-* packages, so this time I removed the dependency snyk had added and instead bumped the versions on our opentelemetry-instrumentation-*s
The opentelemetry-sdk at 1.16.0 had a dependency that conflicted with the versions required by opentelemetry-instrumentation-* packages at versions we'd like to upgrade to for security reasons, so we'll need to upgrade opentelemetry-sdk too.
We had pinned grpcio to get a security fix, but we're not on versions of other packages that would like to use a higher version of grpcio than we had pinned. Therefore, it's probably time to remove that temporary pin.
This reverts commit 52e660c.
Similarly to the previous bump of an opentelemetry package from 1.16 to 1.23 to go with the new versions of opentelemetry-instrumentation, this one is also causing a dependency conflict
…n needed for security rather than keep -sdk et al back a little more
Added this troubleshooting document that's mostly just notes to myself. Maybe it's useful to find places to add some of this in the project-level docs, but some of it may also already be covered, and it's definitely all stuff that should be obvious, but since I keep forgetting to doublecheck these things, let's make a list!
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-BLACK-6256273 Co-authored-by: snyk-bot <[email protected]>
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-SQLPARSE-6615674
Explicitly give codeql-analysis action the security-events: write permission so it still works even when the default GitHub Actions token is set to read-only.
* Bump versions * Bump back Pillow due to test failure * Bump setuptools
Catch Us Up to Upstream
…2009743df [Snyk] Security upgrade sqlparse from 0.4.4 to 0.5.0
…5bf2cc504 [Snyk] Fixes for Opentelemetry-related vulnerabilities: opentelemetry-api==1.22.0 opentelemetry-exporter-otlp-proto-grpc==1.22.0 opentelemetry-instrumentation-celery==0.43b0 opentelemetry-instrumentation-django==0.43b0 opentelemetry-instrumentation-psycopg2==0.43b0 opentelemetry-sdk==1.22.0
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-REQUESTS-6928867
Bumps [django](https://github.com/django/django) from 4.2.15 to 4.2.16. - [Commits](django/django@4.2.15...4.2.16) --- updated-dependencies: - dependency-name: django dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
Change PeriodicTask.objects.get_or_create() to PeriodicTask.objects.update_or_create(). This change prevents a potential IntegrityError when creating a periodic task due to duplicate primary key. By using update_or_create, if the record already exists, it will be updated instead of attempting to insert a new record with the same primary key, ensuring the process completes without error.
Supporting Wikidata is very wonderful. And how about make Wikidata link visible on author page? Modified bookwyrm\templates\author\author.html
sign all AP requests
add test for resolving users with aliases
Fix IntegrityError caused by duplicate periodic task creation
show Wikidata link on author page
…ocales Update locales
…ot/pip/django-4.2.16 Bump django from 4.2.15 to 4.2.16
Fix post dates being inconsistent
fix failing test from bookwyrm-social#3432
…0e7c88873 [Snyk] Security upgrade zipp from 3.15.0 to 3.19.1
…9384e1fa9 [Snyk] Security upgrade urllib3 from 2.0.7 to 2.2.2
…4047227f7 [Snyk] Security upgrade setuptools from 68.0.0 to 70.0.0
…3a278626f [Snyk] Fix for 19 vulnerabilities
|
Guess who got tricked by the arrow in the GitHub Web UI yet again! I'll file another PR that actually goes the direction I intended instead of this. |
Or nevermind, I did do it right, but if I can't keep track of git merge directionality I'm too tired for git, so the conflict resolution is a project for another day. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR will merge our current main into our current production; both were synced with upstream, then I merged some security upgrades into our main. Upstream production is behind upstream main, so this will both bring our production up to upstream main and also add the new security fixes.
What type of Pull Request is this?
Does this PR change settings or dependencies, or break something?
Details of breaking or configuration changes (if any of above checked)
The only things I intend to change here are dependencies, including upgrades to setuptools and pinning several indirect dependency versions. There may be changes to config or other breaking changes as merged from upstream.
Documentation
N/A; no functional changes being made here distinct from upstream, documentation should be handled at the point where changes occur.
Tests