New release with updated dependencies?

[amotl]

Problem

@hammerhead reported that crash==0.35.1 comes bundled with urllib3==2.1.0, which bears the following CVEs:

• CVE-2025-66418: Fixed in version 2.6.0
• CVE-2025-66471: Fixed in version 2.6.0
• CVE-2025-50181: Fixed in version 2.5.0

References

• https://github.com/crate/support/issues/787

[amotl]

I don't know if a previous version of crate-python limited urllib3 as a runtime dependency. In any case, the testing dependency was relaxed recently, release pending.

• Tests: Modernize X.509 certificates, including Authority Key Identifiers crate-python#754

[hammerhead]

Thanks for the 0.32.0 release yesterday.

I noticed that https://cratedb.com/versions.json does not reflect the new version yet, it still contains "crash": "0.31.5",. Hence the Docker image still pulls that version.

[amotl]

Thanks for the report. Most possibly, the update_versions job needs to be invoked once after the source file was updated successfully. Can you do it?

• https://github.com/crate/distribute/pull/821

[amotl]

@mfussenegger, @matriv: I think the update_versions job will usually be invoked within the CrateDB release pipeline. Can you possibly commandeer it manually?

[matriv]

I've just ran it again: https://jenkins.crate.io/job/CrateDB/job/Release/job/update_versions/245/ but crash is still on 0.31.5: https://cratedb.com/versions.json

[amotl]

Thanks. The resource could have been cached by Fastly, but I just purged it and it's still displaying the old version. So, is there a bug somewhere on the re-generate+publish procedure, or are we just failing to invoke the right job?