update stac, weaver, magpie, twitcher, cowbird - security fixes for EOL Python and http-related libraires (#622)

fmigneault · web-flow · commit 5aa472a79980 · 2026-02-17T17:15:34.000-05:00
## Overview Update multiple components with corresponding updates of `urllib`, `requests`, etc. At the same time, bump to Python 3.13 versions as applicable. ## Changes **Non-breaking changes** - STAC API: Security update, minor OpenAPI version reporting fixes, and `stac-fastapi`/`starlette` compatibility fix using [2.3.0](https://github.com/crim-ca/stac-app/releases/tag/2.3.0) - relates to crim-ca/stac-app#65 - relates to crim-ca/stac-app#69 - relates to crim-ca/stac-app#74 - Cowbird: Security update to version [2.6.0](https://github.com/Ouranosinc/cowbird/releases/tag/2.6.0) - relates to Ouranosinc/cowbird#98 - Magpie: Security update to version [4.3.0](https://github.com/Ouranosinc/Magpie/releases/tag/4.3.0) - relates to Ouranosinc/Magpie#640 - relates to Ouranosinc/Magpie#642 - Twitcher: Security update to version [0.11.0](https://github.com/bird-house/twitcher/releases/tag/v0.11.0) - relates to bird-house/twitcher#143 - relates to bird-house/twitcher#145 - relates to bird-house/twitcher#146 - relates to bird-house/twitcher#148 - Weaver: Security and dependency fix update using version [6.8.3](https://github.com/crim-ca/weaver/releases/tag/6.8.3) - relates to crim-ca/weaver#868 - relates to crim-ca/weaver#869 - relates to crim-ca/weaver#877 - relates to crim-ca/weaver#881 - Weaver: Update `post-docker-compose-up` script. - Handle multiple Magpie cookies in response. This can happen depending on specific internal HTTP libraries versions of the services. To retain backward/forward compatibility, all cookies returned from Magpie are chained in following `curl` commands. - Use birdhouse `log` utility to report operations produced by the script rather than custom "echo level". - Weaver: Job Result Proxy Buffers - The *Job Results* responses of `weaver` can return a lot of `Link` headers. This is done to provide job metadata references and provenance traceability details, but also for actual results locations that can vary in quantity depending on the actual process execution. Therefore, the Ngnix `proxy_buffer_size` and `proxy_buffers` directives of the `proxy` service must be added with sufficiently large values to avoid HTTP 502 errors when the response headers exceed the default buffer sizes. The `WEAVER_PROXY_RESPONSE_BUFFER_SIZE` and `WEAVER_PROXY_RESPONSE_BUFFER_COUNT` variables are added to allow further customization as needed by the server. Their defaults are reasonable values to meet minimal requirements by `weaver`'s metadata `Link` and a few result outputs. - Birdhouse: Allow `log <LEVEL> -n ...` and `log <LEVEL> -p ...` to generate log outputs without newline/prefixes. These options allow writing multiple log entries onto the same line for correct visual rendering of distinct `log` calls separated to allow some intermediate logic. The `log` function invocations with these options respect the log levels in order to make the messages consistent with enabled redirections and verbosity. **Breaking changes** - n/a
diff --git a/.bumpversion.toml b/.bumpversion.toml
@@ -1,5 +1,5 @@
 [tool.bumpversion]
-current_version = "2.23.0"
+current_version = "2.23.1"
 commit = true
 message = "Bump version: {current_version} → {new_version} [skip ci]"
 tag = false
diff --git a/CHANGES.md b/CHANGES.md
@@ -17,6 +17,58 @@
 
 [//]: # (list changes here, using '-' for each new entry, remove this when items are added)
 
+[2.23.1](https://github.com/bird-house/birdhouse-deploy/tree/2.23.1) (2026-02-17)
+------------------------------------------------------------------------------------------------------------------
+
+## Changes
+
+- STAC API: Security update, minor OpenAPI version reporting fixes, and `stac-fastapi`/`starlette` compatibility fix
+  using version [2.3.0](https://github.com/crim-ca/stac-app/releases/tag/2.3.0)
+  (relates to [crim-ca/stac-app#65](https://github.com/crim-ca/stac-app/pull/65),
+  [crim-ca/stac-app#69](https://github.com/crim-ca/stac-app/pull/69) and
+  [crim-ca/stac-app#74](https://github.com/crim-ca/stac-app/pull/74)).
+
+- Cowbird: Security update using version [2.6.0](https://github.com/Ouranosinc/cowbird/releases/tag/2.6.0)
+  (relates to [Ouranosinc/cowbird#98](https://github.com/Ouranosinc/cowbird/pull/98)).
+
+- Magpie: Security update using version [4.3.1](https://github.com/Ouranosinc/Magpie/releases/tag/4.3.1)
+  (relates to [Ouranosinc/Magpie#640](https://github.com/Ouranosinc/Magpie/pull/640)
+  and [Ouranosinc/Magpie#642](https://github.com/Ouranosinc/Magpie/pull/642)).
+
+- Twitcher: Security update using version [0.11.0](https://github.com/bird-house/twitcher/releases/tag/v0.11.0)
+  (relates to [bird-house/twitcher#143](https://github.com/bird-house/twitcher/pull/143),
+  [bird-house/twitcher#145](https://github.com/bird-house/twitcher/pull/145),
+  [bird-house/twitcher#146](https://github.com/bird-house/twitcher/pull/146) and
+  [bird-house/twitcher#148](https://github.com/bird-house/twitcher/pull/148)).
+
+- Weaver: Security and dependency fix update using version [6.8.3](https://github.com/crim-ca/weaver/releases/tag/6.8.3)
+  (relates to [crim-ca/weaver#868](https://github.com/crim-ca/weaver/pull/868),
+  [crim-ca/weaver#869](https://github.com/crim-ca/weaver/pull/869),
+  [crim-ca/weaver#877](https://github.com/crim-ca/weaver/pull/877) and
+  [crim-ca/weaver#881](https://github.com/crim-ca/weaver/pull/881)).
+
+- Weaver: Update `post-docker-compose-up` script.
+  - Handle multiple Magpie cookies in response.
+    This can happen depending on specific internal HTTP libraries versions of the services.
+    To retain backward/forward compatibility, all cookies returned from Magpie are chained in following `curl` commands.
+  - Use birdhouse `log` utility to report operations produced by the script rather than custom "echo level".
+
+- Weaver: Job Result Proxy Buffers
+  - The *Job Results* responses of `weaver` can return a lot of `Link` headers. This is done to provide job metadata
+    references and provenance traceability details, but also for actual results locations that can vary in quantity
+    depending on the actual process execution.
+    Therefore, the Ngnix `proxy_buffer_size` and `proxy_buffers` directives of the `proxy` service must be added with
+    sufficiently large values to avoid HTTP 502 errors when the response headers exceed the default buffer sizes.
+    The `WEAVER_PROXY_RESPONSE_BUFFER_SIZE` and `WEAVER_PROXY_RESPONSE_BUFFER_COUNT` variables are added to allow
+    further customization as needed by the server. Their defaults are reasonable values to meet minimal requirements
+    by `weaver`'s metadata `Link` and a few result outputs.
+
+- Birdhouse: Allow `log <LEVEL> -n ...` and `log <LEVEL> -p ...` to generate log outputs without newline/prefixes.
+  
+  These options allow writing multiple log entries onto the same line for correct visual rendering of distinct `log`
+  calls separated to allow some intermediate logic. The `log` function invocations with these options respect the
+  log levels in order to make the messages consistent with enabled redirections and verbosity.
+
 [2.23.0](https://github.com/bird-house/birdhouse-deploy/tree/2.23.0) (2026-02-13)
 ------------------------------------------------------------------------------------------------------------------
 
diff --git a/Makefile b/Makefile
@@ -8,7 +8,7 @@ override BIRDHOUSE_MAKE_DIR := $(shell realpath -P $$(dirname $(BIRDHOUSE_MAKE_C
 # Generic variables
 override SHELL       := bash
 override APP_NAME    := birdhouse-deploy
-override APP_VERSION := 2.23.0
+override APP_VERSION := 2.23.1
 
 # utility to remove comments after value of an option variable
 override clean_opt = $(shell echo "$(1)" | $(_SED) -r -e "s/[ '$'\t'']+$$//g")
diff --git a/README.rst b/README.rst
@@ -18,13 +18,13 @@ for a full-fledged production platform.
     * - citation
       - | |citation|
 
-.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/2.23.0.svg
+.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/2.23.1.svg
     :alt: Commits since latest release
-    :target: https://github.com/bird-house/birdhouse-deploy/compare/2.23.0...master
+    :target: https://github.com/bird-house/birdhouse-deploy/compare/2.23.1...master
 
-.. |latest-version| image:: https://img.shields.io/badge/tag-2.23.0-blue.svg?style=flat
+.. |latest-version| image:: https://img.shields.io/badge/tag-2.23.1-blue.svg?style=flat
     :alt: Latest Tag
-    :target: https://github.com/bird-house/birdhouse-deploy/tree/2.23.0
+    :target: https://github.com/bird-house/birdhouse-deploy/tree/2.23.1
 
 .. |readthedocs| image:: https://readthedocs.org/projects/birdhouse-deploy/badge/?version=latest
     :alt: ReadTheDocs Build Status (latest version)
diff --git a/RELEASE.txt b/RELEASE.txt
@@ -1 +1 @@
-2.23.0 2026-02-13T00:28:48Z
+2.23.1 2026-02-17T22:14:37Z
diff --git a/bin/birdhouse b/bin/birdhouse
@@ -228,7 +228,7 @@ print_config_command() {
 }
 
 print_log_command() {
-  echo ". ${COMPOSE_DIR}/scripts/logging.include.sh"
+  echo "export __BIRDHOUSE_SUPPORTED_INTERFACE=True ; . ${COMPOSE_DIR}/scripts/logging.include.sh"
 }
 
 # Support multiple short flags together (ex: -abc instead of -a -b -c)
diff --git a/birdhouse/components/README.rst b/birdhouse/components/README.rst
@@ -13,7 +13,7 @@ service but this runs in docker containers and is specifically designed to inter
 Birdhouse stack.
 
 Available jobs
--------------
+--------------
 
 Scheduler jobs can be enabled by enabling optional components. Birdhouse comes with a variety of
 these jobs in the ``optional-components`` directory. To enable any of these jobs, add the relevant
@@ -623,6 +623,29 @@ Customizing the Component
     entirely, the ``WEAVER_ALT_PREFIX`` variable should be explicitly set to an empty value.
 
 
+Managing Large Job Results
+--------------------------
+
+The `Job Results <https://pavics-weaver.readthedocs.io/en/latest/processes.html#job-results>`_ responses from `Weaver`
+can return a lot of ``Link`` headers. This is done to provide job metadata references and provenance traceability
+details, but also for actual results locations that can vary in quantity depending on the actual process execution.
+
+By default, the Ngnix `proxy_buffer_size <https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size>`_
+and `proxy_buffers <https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers>`_ directives of
+the ``proxy`` service are added to the `Weaver` API endpoints with sufficiently large values to avoid HTTP 502 errors
+when the response headers exceed the default buffer sizes.
+
+If your processes happen to generate even larger results (e.g.: they return many NetCDF files from batch processing),
+you may need to further increase these buffer sizes using
+the ``WEAVER_PROXY_RESPONSE_BUFFER_SIZE`` and ``WEAVER_PROXY_RESPONSE_BUFFER_COUNT`` variables.
+
+If your processes generate a *very large* number of results, you may also want to consider
+alternate *content negotiation strategies* as described in
+the `Job Results <https://pavics-weaver.readthedocs.io/en/latest/processes.html#job-results>`_
+and `Process Execution Results <https://pavics-weaver.readthedocs.io/en/latest/processes.html#proc-exec-results>`_
+sections of the `Weaver` documentation. Certain execution request parameters can be explicitly provided to limit
+the number of returned headers and their representation in the responses.
+
 .. _finch: https://github.com/bird-house/finch
 .. _flyingpigeon: https://github.com/bird-house/flyingpigeon
 .. _Weaver: https://github.com/crim-ca/weaver
diff --git a/birdhouse/components/canarie-api/docker_configuration.py.template b/birdhouse/components/canarie-api/docker_configuration.py.template
@@ -108,8 +108,8 @@ SERVICES = {
             # NOTE:
             #   Below version and release time auto-managed by 'make VERSION=x.y.z bump'.
             #   Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'.
-            'version': '2.23.0',
-            'releaseTime': '2026-02-13T00:28:48Z',
+            'version': '2.23.1',
+            'releaseTime': '2026-02-17T22:14:37Z',
             'institution': '${BIRDHOUSE_INSTITUTION}',
             'researchSubject': '${BIRDHOUSE_SUBJECT}',
             'supportEmail': '${BIRDHOUSE_SUPPORT_EMAIL}',
@@ -141,8 +141,8 @@ PLATFORMS = {
             # NOTE:
             #   Below version and release time auto-managed by 'make VERSION=x.y.z bump'.
             #   Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'.
-            'version': '2.23.0',
-            'releaseTime': '2026-02-13T00:28:48Z',
+            'version': '2.23.1',
+            'releaseTime': '2026-02-17T22:14:37Z',
             'institution': '${BIRDHOUSE_INSTITUTION}',
             'researchSubject': '${BIRDHOUSE_SUBJECT}',
             'supportEmail': '${BIRDHOUSE_SUPPORT_EMAIL}',
diff --git a/birdhouse/components/cowbird/default.env b/birdhouse/components/cowbird/default.env
@@ -29,7 +29,7 @@ VARS="$VARS $EXTRA_VARS"
 # Cowbird Configuration
 # =====================
 
-export COWBIRD_VERSION="2.5.2"
+export COWBIRD_VERSION="2.6.0"
 export COWBIRD_DOCKER=pavics/cowbird
 export COWBIRD_IMAGE='${COWBIRD_DOCKER}:${COWBIRD_VERSION}'
 export COWBIRD_IMAGE_API='${COWBIRD_IMAGE}-webservice'
diff --git a/birdhouse/components/magpie/default.env b/birdhouse/components/magpie/default.env
@@ -5,7 +5,7 @@
 # are applied and must be added to the list of DELAYED_EVAL.
 
 # Tag version that will be used to update Magpie API, Magpie CLI, and matching Twitcher with Magpie Adapter
-export MAGPIE_VERSION=4.2.0
+export MAGPIE_VERSION=4.3.1
 export MAGPIE_IMAGE='pavics/magpie:${MAGPIE_VERSION}'
 export MAGPIE_IMAGE_URI='registry.hub.docker.com/${MAGPIE_IMAGE}'
 
diff --git a/birdhouse/components/stac/default.env b/birdhouse/components/stac/default.env
@@ -17,8 +17,10 @@ export STAC_PGPASSWORD='${BIRDHOUSE_POSTGRES_PASSWORD}'
 #   crim-ca/stac-app:1.0.0 uses STAC-fastapi version 3.0.3 with pgstac 0.6.10 (techically >=0.7,<0.8, but 0.6 works)
 #   crim-ca/stac-app:1.1.0 uses STAC-fastapi version 5.2.0 with pgstac 0.9.6 (techically >=0.8,<0.10)
 #   crim-ca/stac-app:2.0.1 uses STAC-fastapi version 6.0.0 with pgstac 0.9.6+ (techically >=0.8,<0.10)
-export STAC_VERSION=6.0.0-crim-2.1.0
-export STAC_IMAGE='ghcr.io/crim-ca/stac-app:2.1.0'
+export STAC_FASTAPI_PACKAGE_VERSION="6.2.1" # informative only
+export STAC_APP_DOCKER_VERSION="2.3.0"      # actual image tag 
+export STAC_VERSION='${STAC_FASTAPI_PACKAGE_VERSION}-crim-${STAC_APP_DOCKER_VERSION}'
+export STAC_IMAGE='ghcr.io/crim-ca/stac-app:${STAC_APP_DOCKER_VERSION}'
 export STAC_IMAGE_URI='${STAC_IMAGE}'
 export STAC_LICENSE_URL='https://raw.githubusercontent.com/crim-ca/stac-app/refs/heads/main/LICENSE'
 export STAC_OPENAPI_SPEC_PATH='/api'
@@ -95,6 +97,7 @@ export DELAYED_EVAL="
   STAC_POSTGRES_PASSWORD
   STAC_PGUSER
   STAC_PGPASSWORD
+  STAC_VERSION
   STAC_IMAGE
   STAC_IMAGE_URI
   STAC_DB_TAGGED
diff --git a/birdhouse/components/twitcher/default.env b/birdhouse/components/twitcher/default.env
@@ -5,7 +5,7 @@
 #   This is because Twitcher must be built with the MagpieAdapter component.
 #   (https://github.com/Ouranosinc/Magpie/blob/master/Dockerfile.adapter)
 #   The following reference is only indicative for the 'service-config.json'.
-export TWITCHER_VERSION=0.10.0
+export TWITCHER_VERSION=0.11.1
 export TWITCHER_RELEASE='${TWITCHER_VERSION}-magpie-${MAGPIE_VERSION}'
 export TWITCHER_DOCKER=pavics/twitcher
 export TWITCHER_IMAGE='${TWITCHER_DOCKER}:magpie-${MAGPIE_VERSION}'
diff --git a/birdhouse/components/weaver/config/proxy/conf.extra-service.d/weaver.conf.template b/birdhouse/components/weaver/config/proxy/conf.extra-service.d/weaver.conf.template
@@ -33,6 +33,11 @@
         proxy_set_header X-Forwarded-Proto $real_scheme;
         proxy_set_header X-Forwarded-Host $http_host:$server_port;
         proxy_buffering off;
+        # allow larger buffer size for endpoints that return more metadata in headers
+        # even if (body) buffering is disabled above, headers are still buffered by nginx since it must process them
+        # notably, job results can return varying amount of metadata and per-output link headers if requested this way
+        proxy_buffer_size ${WEAVER_PROXY_RESPONSE_BUFFER_SIZE};
+        proxy_buffers ${WEAVER_PROXY_RESPONSE_BUFFER_COUNT} ${WEAVER_PROXY_RESPONSE_BUFFER_SIZE};
     }
 
     # NOTE:
diff --git a/birdhouse/components/weaver/default.env b/birdhouse/components/weaver/default.env
@@ -19,17 +19,19 @@ EXTRA_VARS='
   $WEAVER_MONGODB_URL
   $WEAVER_MANAGER_NAME
   $WEAVER_WORKER_NAME
+  $WEAVER_MANAGER_LOG_LEVEL
+  $WEAVER_WORKER_LOG_LEVEL
   $WEAVER_WPS_NAME
   $WEAVER_WPS_OUTPUTS_DIR
   $WEAVER_WPS_OUTPUTS_PATH
   $WEAVER_WPS_PATH
   $WEAVER_WPS_WORKDIR
-  $WEAVER_MANAGER_LOG_LEVEL
-  $WEAVER_WORKER_LOG_LEVEL
   $WEAVER_WPS_PROVIDERS_MAX_TIME
   $WEAVER_WPS_PROVIDERS_RETRY_COUNT
   $WEAVER_WPS_PROVIDERS_RETRY_AFTER
   $WEAVER_ALT_PREFIX_PROXY_LOCATION
+  $WEAVER_PROXY_RESPONSE_BUFFER_SIZE
+  $WEAVER_PROXY_RESPONSE_BUFFER_COUNT
 '
 # extend the original 'VARS' from 'birdhouse/birdhouse-compose.sh' to employ them for template substitution
 # adding them to 'VARS', they will also be validated in case of override of 'default.env' using 'env.local'
@@ -55,7 +57,7 @@ OPTIONAL_VARS="
 export WEAVER_CONFIG=HYBRID
 
 # default release version that will be used to fetch docker images (API mananger & celery workers services)
-export WEAVER_VERSION=6.6.2
+export WEAVER_VERSION=6.8.3
 export WEAVER_DOCKER=pavics/weaver
 export WEAVER_IMAGE='${WEAVER_DOCKER}:${WEAVER_VERSION}'
 export WEAVER_MANAGER_IMAGE='${WEAVER_IMAGE}-manager'
@@ -73,12 +75,19 @@ export WEAVER_MONGODB_VERSION=5.0
 export WEAVER_MONGODB_HOST=weaver-mongodb
 export WEAVER_MONGODB_PORT=27017
 export WEAVER_MONGODB_URL='mongodb://${WEAVER_MONGODB_HOST}:${WEAVER_MONGODB_PORT}'
+# Data persistence location on the host
+export WEAVER_MONGODB_DATA_DIR='${BIRDHOUSE_DATA_PERSIST_ROOT}/mongodb_weaver_persist'
 
 # real names of the weaver/worker services
 # 'WEAVER_MANAGER_NAME' value will generate "<server-fqdn>/<name>" URI to access its API behind secured proxy
 # 'WEAVER_MANAGER_NAME' and 'WEAVER_WORKER_NAME' are also employed to define name of the containers in docker-compose
 export WEAVER_MANAGER_NAME=weaver
 export WEAVER_WORKER_NAME=weaver-worker
+
+# logging
+export WEAVER_MANAGER_LOG_LEVEL=INFO
+export WEAVER_WORKER_LOG_LEVEL=INFO
+
 # below is used to define a separate Magpie service that can protect the WPS-1 endpoint of Weaver
 # FIXME:
 #   remove when corresponding WPS-1/WPS-REST 'process' entries are managed under common service
@@ -116,9 +125,10 @@ export WEAVER_ALT_PREFIX_PROXY_LOCATION='
 ")
 '
 
-# logging
-export WEAVER_MANAGER_LOG_LEVEL=INFO
-export WEAVER_WORKER_LOG_LEVEL=INFO
+# nginx proxy buffer settings for weaver API
+# mainly to allow larger job results responses that can return multiple link headers to output files and metadata
+export WEAVER_PROXY_RESPONSE_BUFFER_SIZE=32k
+export WEAVER_PROXY_RESPONSE_BUFFER_COUNT=8
 
 # control maximum timeout to abandon registration (duration in seconds, across whole procedure)
 export WEAVER_WPS_PROVIDERS_MAX_TIME=120
@@ -127,8 +137,6 @@ export WEAVER_WPS_PROVIDERS_RETRY_COUNT=5
 # control interval time between retries (duration in seconds, counts toward maximum timeout)
 export WEAVER_WPS_PROVIDERS_RETRY_AFTER=5
 
-export WEAVER_MONGODB_DATA_DIR='${BIRDHOUSE_DATA_PERSIST_ROOT}/mongodb_weaver_persist'
-
 # If "True", Weaver providers that are no longer working (not responding when deployed) and are not named in
 # WEAVER_WPS_PROVIDERS will be unregistered. This is useful when deploying Weaver with fewer providers than a previous
 # deployment.
diff --git a/birdhouse/components/weaver/post-docker-compose-up b/birdhouse/components/weaver/post-docker-compose-up
diff --git a/birdhouse/scripts/logging.include.sh b/birdhouse/scripts/logging.include.sh
diff --git a/docs/source/conf.py b/docs/source/conf.py
diff --git a/tests/unit/test_logging.py b/tests/unit/test_logging.py

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-2.23.0 2026-02-13T00:28:48Z`
	`1`	`+2.23.1 2026-02-17T22:14:37Z`
Original file line number	Diff line number	Diff line change
`@@ -228,7 +228,7 @@ print_config_command() {`
`228`	`228`	`}`
`229`	`229`
`230`	`230`	`print_log_command() {`
`231`		`- echo ". ${COMPOSE_DIR}/scripts/logging.include.sh"`
	`231`	`+ echo "export __BIRDHOUSE_SUPPORTED_INTERFACE=True ; . ${COMPOSE_DIR}/scripts/logging.include.sh"`
`232`	`232`	`}`
`233`	`233`
`234`	`234`	`# Support multiple short flags together (ex: -abc instead of -a -b -c)`